Tying your firewall to your Active Directory environment can offer a lot of benefit. First, it can allow you to use AD credentials for user VPN access. This way, if an individual leaves the organization, you simply need to disable their AD account and their VPN access will be disabled as well. Tying into AD also allows you to use this in your policies, so that you can grant access to users based off of their security group. This gives you more granular control of what your employees are accessing on the Internet, and prevents you from having to open access too broadly. Finally, implementing AD authentication can allow you to track user activity in your logs based off of their username instead of an IP address.
Tying to Active Directory is a straight-forward process. In this article, we will explain the initial steps of configuring the firewall to be able to use Active Directory in a base form. We will cover the implementation of AD into policies and VPNs in a later post.
Adding Active Directory Settings to the Firewall
1. In Policy Manager, select Setup > Authentication > Authentication Servers
2. Select the Active Directory tab and click Add to start the wizard
3. Click Next on the first window of the wizard
4. Enter your domain name and click Next
5. Enter the DNS name or IP address of your server
NOTE: We recommend using an IP address, in the event your firewall cannot properly resolve internal DNS records
6. Click Next and click Finish on the wizard
Adding User Accounts or Security Groups
In order to use Active Directory settings in your firewall policies, you will need to make sure user accounts or groups are referenced on the firewall. Make sure that these are listed exactly as they are in Active Directory, including spelling, capitalization, special characters or spaces.
1. In Policy Manager, select Setup > Authentication > Users and Groups
2. Click Add to enter a user account or group
3. Enter the user account or security group information exactly as it is in Active Directory. By default, the Authentication Server settings will be set to Any. If you would like to specifically reference this as an AD user or group, select your domain from the dropdown.
NOTE: The option to Enable Host Sensor Enforcement is a new feature of firmware 12.5.4. This allows you to require that TDR be installed on the user’s computer before they can connect to a mobile VPN.