Cross-domain trust setups with Cloud-Delivered Firewall Management Center

A cross-domain trust setup allows discovery and use of users and groups from multiple domains in access control policies.

This is an introduction to several topics that walk you through configuring the Cloud-Delivered Firewall Management Center with two realms having cross-domain trust.

Example setup configuration

This step-by-step example involves two forests: forest.example.com and eastforest.example.com . The forests are configured so that certain users and groups in each forest can be authenticated by Microsoft AD in the other forest.

The example setup uses this configuration:

The simplest way to access users in Active Directory forests is to set up each domain in a forest as a realm. The forests must be configured with a two-way transitive forest trust relationship. Only realms that contain users you wish to include in access control policies need be configured as realms.

Using this example, you would set up the Cloud-Delivered Firewall Management Center with these components:

Realm and directory for any domain in forest.example.com that contains users you want to control with access control policy
Realm and directory for any domain in eastforest.example.com that contains users you want to control with access control policy

Each realm in the example has one domain controller, which is configured in the Cloud-Delivered Firewall Management Center as a directory. The directories in this example are configured as follows:

forest.example.com
- Base distinguished name (DN) for users: ou=UsersWest,dc=forest,dc=example,dc=com
- Base DN for groups: ou=EngineringWest,dc=forest,dc=example,dc=com
eastforest.example.com
- Base DN for users: ou=EastUsers,dc=eastforest,dc=example,dc=com
- Base DN for groups: ou=EastEngineering,dc=eastforest,dc=example,dc=com