Realm Directory and Synchronize fields

Realm Directory Fields

These settings apply to individual servers (such as Active Directory domain controllers) in a realm.

Hostname / IP Address
Fully qualified host name of the Active Directory domain controller machine. To find the fully qualified name, see Find the Active Directory Server's Name.

If you're using Kerberos for authenticating captive portal, also make sure you understand the following:

If you're using Kerberos authentication, the managed device's host name must be less than 15 characters (it's a NetBIOS limitation set by Windows); otherwise, captive portal authentication fails. You set the managed device host name when you set up the device. For more information, see an article like this one on the Microsoft documentation site: Naming conventions in Active Directory for computers, domains, sites, and OUs.

DNS must return a response of 64KB or less to the hostname; otherwise, the AD connection test fails. This limit applies in both directions and is discussed in RFC 6891 section-6.2.5.

Port

The server's port.

Encryption

(Strongly recommended.) The encryption method to use:

  • STARTTLS—encrypted LDAP connection

  • LDAPS—encrypted LDAP connection

  • None—unencrypted LDAP connection (unsecured traffic)

To communicate securely with an Active Directory server, see Connect Securely to Active Directory.

CA Certificate

The TLS/SSL certificate to use for authentication to the server. You must configure STARTTLS or LDAPS as the Encryption type to use a TLS/SSL certificate.

If you are using a certificate to authenticate, the name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but computer1.example.com in the certificate, the connection fails.

Interface used to connect to Directory server
Required only for RA VPN authentication so the Secure Firewall Threat Defense can connect securely to your Active Directory server. This interface is not used for downloading users and groups, however.

You can choose only a routed interface group. For more information, see Interface.

Click one of the following:

  • Resolve via route lookup: Use routing to connect to the Active Directory server.

  • Choose an interface: Choose a specific managed device interface group to connect to the Active Directory server.

User Synchronize Fields

AD Primary Domain

For Microsoft Active Directory realms only. Domain for the Active Directory server where users should be authenticated.

Note

You must specify a unique AD Primary Domain for every Microsoft Active Directory (AD) realm. Although the system allows you to specify the same AD Primary Domain for different Microsoft AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group.

Enter query to look for users and groups

Base DN:

(Optional.) The directory tree on the server where the management center should begin searching for user data.

Typically, the base distinguished name (DN) has a basic structure indicating the company domain name and operational unit. For example, the Security organization of the Example company might have a base DN of ou=security,dc=example,dc=com.

Group DN:

(Optional.) The directory tree on the server where the management center should search for users with the group attribute. A list of supported group attributes is shown in Supported Server Object Class and Attribute Names.

Note

Neither the group name nor the organizational unit name can contain special characters like asterisk (*), equals (=), backslash (\) because users in those groups are not downloaded and cannot be used in identity policies.

Load Groups

Enables you to download users and groups for user awareness and user control.

Available Groups, Add to Include, Add to Exclude

Limits the groups that can be used in policy.

  • Groups that are displayed in the Available Groups field are available for policy unless you move groups to the Included Groups and Users or Excluded Groups and Users field.

  • If you move groups to the Included Groups and Users field, only those groups and users they contain are downloaded and user data is available for user awareness and user control.

  • If you move groups to the Excluded Groups and Users field, all groups and users they contain except these are downloaded and available for user awareness and user control.

  • To include users from groups that are not included, enter the user name in the field below User Inclusion and click Add.

  • To exclude users from groups that are not excluded, enter the user name in the field below User Exclusion and click Add.

    Note

    The users that are downloaded to the management center is calculated using the formula R = I - (E+e) + i , where

    • R is list of downloaded users

    • I is included groups

    • E is excluded groups

    • e is excluded users

    • i is included users

Synchronize Now
Click to synchronize groups and users with AD.
Begin automatic synchronization at
Enter the time and time interval at which to download users and groups from AD.