Identity Deployments

When the system detects user data from a user login, from any identity source, the user from the login is checked against the list of users in the CDO user database. If the login user matches an existing user, the data from the login is assigned to the user. Logins that do not match existing users cause a new user to be created, unless the login is in SMTP traffic. Non-matching logins in SMTP traffic are discarded.

The group to which the user belongs is associated with the user as soon as the user is seen by the CDO.

Sample identity deployments

The sample deployments discussed in this section are based on the system shown in the following figure.

One sample identity deployment sends to the secure firewall manager and managed devices user data collected from LDAP or Active Directory. Because user data typically won't be accessible to CDO, if you use CDO, you can set up one or more proxy devices (or a proxy sequence) to get the user data to the secure firewall manager.

In the preceding figure, CDO and one managed device are deployed to AWS and the other devices are located on premises. These devices can be either physical or virtual; they just need to be able to communicate with each other.

The two on-premises managed devices are intended to be used as a proxy sequence. You must add those devices to CDO as well.

A proxy sequence is one or more managed devices that can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC server. It is necessary only if CDO cannot communicate with your Active Directory or ISE/ISE-PIC server. (For example, CDO might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.)

LDAP or Active Directory are needed only for TS Agent and captive portal, as the following paragraphs explain.

For more information about setting up a system like this, see How to Set Up an Identity Policy.

ISE/ISE-PIC identity source

When you deploy the ISE/ISE-PIC identity source, CDO contacts the proxy sequence if CDO cannot contact the ISE/ISE-PIC server directly. Users, groups, and subscriptions are sent from the ISE/ISE-PIC server to the managed device in AWS.

You can optionally have an LDAP server in an ISE/ISE-PIC deployment but because it's optional, it isn't shown in the following figure.

For more information about ISE/ISE-PIC, see The ISE/ISE-PIC Identity Source.

A variation of the user identity deployment uses ISE/ISE-PIC as the user store. As with the preceding sample deployment, you can set up one or more proxies to send data to the secure firewall manager and the devices it manages.

TS Agent identity source

The Terminal Services (TS) Agent software runs on a Microsoft Server and sends CDO user information based on the port range the users log in to the server with. TS Agent gets user identity information from LDAP or Active Directory and sends it to CDO.

For more information about the TS Agent identity source, see The Terminal Services (TS) Agent Identity Source.

If you choose to use the TS Agent identity source, you can deploy identity services in a manner consistent with those already discussed.

Captive portal

Captive portal is the only identity source that supports LDAP in addition to Active Directory. The captive portal identity source is triggered when a user tries to access network resources using the managed device in AWS, using either an IP address or host name. Captive portal gets user information from LDAP or Active Directory using the proxy sequence and sends user information to CDO.

For more information about the captive portal identity source, see The Captive Portal Identity Source.