Configure the Secure Firewall Management Center for Cross-Domain-Trust Step 1: Configure Realms and Directories

This is the first task in a step-by-step procedure that explains how to configure the management center to recognize Active Directory servers configured in a cross-domain trust relationship, which is an increasingly common configuration for enterprise organizations. For an overview of this sample configuration, see Configure the Management Center for Cross-Domain-Trust: The Setup.

If you set up the system with one realm for each domain and one directory for each domain controller, the system can discover up to 100,000 foreign security principals (users and groups). If these foreign security principals match a user downloaded in another realm, then they can be used in access control policy.

Before you begin

You must configure Microsoft Active Directory servers in a cross-domain trust relationship; see Realms and Trusted Domains for more information.

If you authenticate users with LDAP, you cannot use this procedure.

Procedure

Step 1

Log in to the management center.

Step 2

Click Integration > Other Integrations > Realms.

Step 3

Choose from Add Realm drop-down list. .

Step 4

Enter the following information to configure forest.example.com .

To set up a realm, configure the required fields and click Test. Make sure the test is successful before you configure the directory.

Note

The Directory Username can be any user in the Active Directory domain; no special permissions are required.

The Interface used to connect to Directory server can be any interface that can connect to the Active Directory server.

Step 5

Proxy is an optional managed device or proxy sequence to communicate with ISE/ISE-PIC if CDO is unable to do so. For example, your CDO might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet.

Step 6

Click Test and make sure the test succeeds before you continue.

Step 7

Click Configure Groups and Users.

Step 8

If your configuration was successful, the next page is displayed similar to the following.

If you configured the realm and directory correctly, you'll see a list of users and groups.

Note

If groups and users were not downloaded, verify the values in the Base DN and Groups DN fields and click Load Groups.

There are other optional configurations available on this page; for more information about them, see Realm Fields and Realm Directory and Synchronize fields.

Step 9

If you made changes on this page or tab pages, click Save.

Step 10

Click Integration > Other Integrations > Realms.

Step 11

Click Add Realm.

Step 12

Enter the following information to configure eastforest.example.com .

To set up a realm, configure the required fields and click Test. Make sure the test is successful before you configure groups and users.

Step 13

Click Test and make sure the test succeeds before you continue.

Step 14

Click Configure Groups and Users.

Step 15

If your configuration was successful, the next page is displayed similar to the following.

If you configured the realm and directory correctly, you'll see a list of users and groups.