Configure User-ID for Numerous Mapping Information Sources

  1. Configure Windows Log Forwarding on the member servers that will collect login events.
    Configure Windows Log Forwarding. This step requires administrative privileges for configuring group policies on Windows servers.
  2. Install the Windows-based User-ID agent.
    Install the Windows-Based User-ID Agent on a Windows server that can access the member servers. Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
  3. Configure the User-ID agent to collect user mapping information from the member servers.
    1. Start the Windows-based User-ID agent.
    2. Select
      User Identification
      Discovery
      and perform the following steps for each member server that will receive events from domain controllers:
      1. In the Servers section, click
        Add
        and enter a
        Name
        to identify the member server.
      2. In the
        Server Address
        field, enter the FQDN or IP address of the member server.
      3. For the
        Server Type
        , select
        Microsoft Active Directory
        .
      4. Click
        OK
        to save the server entry.
    3. Configure the remaining User-ID agent settings: see Configure the Windows-Based User-ID Agent for User Mapping.
    4. If the User-ID sources provide usernames in multiple formats, specify the format for the
      Primary Username
      when you Map Users to Groups.
      The primary username is the username that identifies the user on the firewall and represents the user in reports and logs, regardless of the format that the User-ID source provides.
  4. Configure an LDAP server profile to specify how the firewall connects to the Global Catalog servers (up to four) for group mapping information.
    To improve availability, use at least two Global Catalog servers for redundancy.
    You can collect group mapping information only for universal groups, not local domain groups (subdomains).
    1. Select
      Device
      Server Profiles
      LDAP
      , click
      Add
      , and enter a
      Name
      for the profile.
    2. In the Servers section, for each Global Catalog, click
      Add
      and enter the server
      Name
      , IP address (
      LDAP Server
      ), and
      Port
      . For a plaintext or Start Transport Layer Security (Start TLS) connection, use
      Port
      3268. For an LDAP over SSL connection, use
      Port
      3269. If the connection will use Start TLS or LDAP over SSL, select the
      Require SSL/TLS secured connection
      check box.
    3. In the
      Base DN
      field, enter the Distinguished Name (DN) of the point in the Global Catalog server where the firewall will start searching for group mapping information (for example,
      DC=acbdomain,DC=com
      ).
    4. For the
      Type
      , select
      active-directory
      .
    5. Configure the remaining fields as necessary: see Add an LDAP server profile.
  5. Configure an LDAP server profile to specify how the firewall connects to the servers (up to four) that contain domain mapping information.
    User-ID uses this information to map DNS domain names to NetBIOS domain names. This mapping ensures consistent domain/username references in policy rules.
    To improve availability, use at least two servers for redundancy.
    The steps are the same as for the LDAP server profile you created for Global Catalogs in the Step 4, except for the following fields:
    • LDAP Server
      —Enter the IP address of the domain controller that contains the domain mapping information.
    • Port
      —For a plaintext or Start TLS connection, use
      Port
      389. For an LDAP over SSL connection, use
      Port
      636. If the connection will use Start TLS or LDAP over SSL, select the
      Require SSL/TLS secured connection
      check box.
    • Base DN
      —Select the DN of the point in the domain controller where the firewall will start searching for domain mapping information. The value must start with the string:
      cn=partitions,cn=configuration
      (for example,
      cn=partitions,cn=configuration,DC=acbdomain,DC=com
      ).
  6. Create a group mapping configuration for each LDAP server profile you created.
    1. Select
      Device
      User Identification
      Group Mapping Settings
      .
    2. Click
      Add
      and enter a
      Name
      to identify the group mapping configuration.
    3. Select the LDAP
      Server Profile
      and ensure the
      Enabled
      check box is selected.
    4. Configure the remaining fields as necessary: see Map Users to Groups.
      If the Global Catalog and domain mapping servers reference more groups than your security rules require, configure the
      Group Include List
      and/or
      Custom Group
      list to limit the groups for which User-ID performs mapping.
    5. Click
      OK
      and
      Commit
      .

Related Documentation