Dell SonicWALL, Administration Manual

Page 1: ...Dell SonicWALL Directory Services Connector 3 7 Administration Guide ...

Page 2: ...R INABILITY TO USE THIS DOCUMENT EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice Dell does not make any commitment to update the information contained i...

Page 3: ...bility 14 eDirectory server compatibility 14 Domain controller server compatibility 15 SSO Agent platform compatibility 15 Client compatibility 16 Citrix or terminal services compatibility 16 Installing Directory Services Connector 17 Installing DSC with Active Directory 17 Installing DSC with Novell eDirectory 21 Using and configuring Directory Services Connector 25 Using the DSC Configuration To...

Page 4: ...ng DC Security Log 40 Installing and configuring LogWatcher 42 Setting a group policy to enable audit logon on Windows Server 2003 44 Setting a group policy to enable audit logon on Windows Server 2008 46 Enabling LDAP over TLS with Novell eDirectory 48 About Dell 49 Contacting Dell 49 Technical support resources 49 ...

Page 5: ...pful information for using this guide It includes conventions used in this guide information on how to obtain additional product information and a summary of the chapters in the guide Chapter 2 Directory Services Connector overview This chapter provides an overview of Directory Services Connector It includes an introduction to DSC information about user identification methods and platform compatib...

Page 6: ...rk resources with a single workstation login Dell SonicWALL security appliances provide SSO functionality using the Dell SonicWALL Single Sign On Agent SSO Agent to identify user activity based on the workstation IP address SSO is configured in the Users Settings page of the SonicOS management interface SSO is separate from the authentication method for login settings that can be used at the same ...

Page 7: ...s you can use the Dell SonicWALL Terminal Services Agent TSA to communicate with Dell SonicWALL SSO The TSA is not included as part of this release For more information about the TSA see the latest Terminal Services Agent Release Notes the latest SonicOS Administration Guide and the SonicOS Enhanced Single Sign On Feature Module available on https support software dell com About Agent to Agent com...

Page 8: ...where using the cache can help and having it disabled could be a small disadvantage If a NetAPI request happens to take a multiple of 10 seconds then the agent s reply could cross over with a request retry from the appliance This would cause the agent to initiate another NetAPI request where if using a non zero refresh rate for the cache it would simply repeat the last reply from its cache If a re...

Page 9: ...licies to control who is given access and can be used in selecting policies for Content Filtering and Application Firewall to control what they are allowed to access User names learned through SSO are reported in the Dell SonicWALL appliance logs of traffic and events from the users The configured inactivity timer applies with SSO but the session limit does not though users who are logged out are ...

Page 10: ...ferred to as NetWare Directory Services is an X 500 compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network eDirectory is a hierarchical object oriented database used to represent certain assets in an organization in a logical tree including organizations organizational un...

Page 11: ...d batch logons The SSO Agent then determines the correct user name in this list The NetAPI method is much faster than the WMI method but might not always yield a correct username Windows Firewall might block both methods by default To enable WMI methods in the Windows Firewall you can select Windows Management Instrumentation in Control Panel All Control Panel Items Windows Firewall Allowed Progra...

Page 12: ... com en us download details aspx id 8328 Microsoft Visual C 2008 Redistributable Package x86 for Windows Server 2003 http www microsoft com en us download details aspx id 29 3 The Domain Controller must have Microsoft Core XML Services MSXML 6 0 also known as Microsoft MSXML Parser 6 0 installed http www microsoft com en us download details aspx id 3988 4 The Domain Controller must have audit logo...

Page 13: ...y need to log in to do so They can be redirected to the login prompt if policy rules are set to require authentication Without Samba the DC security log method works for using Single Sign On with Linux clients Platform compatibility To use Dell SonicWALL Single Sign On it is required that the SSO Agent is installed on a server that can communicate with the Active Directory or eDirectory server and...

Page 14: ...ning SonicOS 4 0 and above PRO 2040 3060 4060 4100 5060 running SonicOS 4 0 and above Virtual environment compatibility Recommended Virtual Environments for Directory Services Connector include VMware ESX 5 5 VMware ESX 5 1 VMware ESX 4 x Microsoft Hyper V 2012 R2 Microsoft Hyper V 2008 R2 Virtual Machine host configuration requirements OS Windows Server 2008 2012 R2 32 bit 64 bit CPU Intel Xenon ...

Page 15: ...The following versions of NET Framework are supported NET Framework 2 0 and above The following Microsoft Windows operating systems are not supported as servers Windows 2000 All versions Limitations The following limitations exist in Windows operating systems prior to Windows Server 2008 or Windows 7 Certain Windows API elements are not supported including the Event Subscription API for communicat...

Page 16: ... bit Windows XP 32 64 bit Citrix or terminal services compatibility The Dell SonicWALL SSO Agent is not supported in a Citrix or Terminal Services Environment In these environments you can use the Dell SonicWALL Terminal Services Agent TSA to communicate with the SonicOS Single Sign On feature The TSA is not included as part of Dell SonicWALL Directory Services Connector For more information about...

Page 17: ...e with Active Directory 1 Download one of the following installation programs depending on your computer SonicWALL Directory Connector 32 bit 3 7 xx exe SonicWALL Directory Connector 64 bit 3 7 xx exe You can find these installers on http www mysonicwall com under Directory Services Connector 2 Double click the installer to begin installation 3 If prompted install the Microsoft NET framework 4 In ...

Page 18: ...d the name of the company that owns the workstation where you are installing the Directory Connector select the application use privileges and then click Next 7 Select the destination folder To use the default folder C Program Files SonicWALL DCON click Next To specify a custom location click Change select the folder and click Next ...

Page 19: ...ces Connector 3 7 Administration Guide 19 8 On the Custom Setup page the installation icon is displayed by default next to the SonicWALL SSO Agent feature Click Next 9 In the next screen click Install to install Directory Connector ...

Page 20: ...ss of your SonicWALL security appliance in the SonicWALL Appliance IP field Type the port number for the same appliance in the Dell SonicWALL Appliance Port field Enter a shared key a hexadecimal number from 1 to 16 digits in length in the Shared Key field using an even number of digits Click Next to continue 12 Wait for the installation to complete The status bar displays while Directory Services...

Page 21: ...ation programs depending on your computer SonicWALL Directory Connector 32 bit 3 7 xx exe SonicWALL Directory Connector 64 bit 3 7 xx exe You can find these installers on http www mysonicwall com under Directory Services Connector 2 Double click the installer to begin installation 3 If prompted install the Microsoft NET framework 4 In the Welcome screen click Next to continue the installation 5 In...

Page 22: ...r To use the default folder C Program Files SonicWALL DCON click Next To specify a custom location click Change select the folder and click Next 8 On the Custom Setup page select the Novell eDirectory Support feature for installation Click Next 9 In the Ready to Install the Program screen click Install ...

Page 23: ...e SSO Agent and the Dell SonicWALL appliance You must also enter the same key when configuring the appliance to use Dell SonicWALL SSO 11 In the Novell eDirectory Admin User Configuration screen enter the information for the Novell eDirectory server and then click Next Server IP Address eDirectory Server IP Address Server Port eDirectory Server Port 389 by default Login Username Login username for...

Page 24: ...y Connector to launch the Dell SonicWALL Directory Services Connector and then click Finish For more information about configuring and using Dell SonicWALL SSO with Novell eDirectory support see the SonicOS Single sign on Feature Module and the latest SonicOS Administration Guide available on https support software dell com release notes product select ...

Page 25: ...e 48 Using the DSC Configuration Tool menus The Directory Services Connector Configuration Tool provides several menus at the top of the screen for configuring settings and viewing information Using the File menu on page 25 Using the View menu on page 25 Using the Actions menu on page 26 Using the Help Menu on page 32 Using the File menu The File menu in the Directory Connector Configuration Tool ...

Page 26: ...of the screen The installed version of the SSO Agent is also displayed there Using the Actions menu With SonicWALL SSO Agent selected in the Directory Connector Configuration Tool the Actions menu provides options for editing the SSO Agent configuration settings viewing the log entries viewing users and hosts using the diagnostic tool and refreshing the display It also provides options for managin...

Page 27: ... list 0 No logging 1 Errors will be logged 2 Debug messages and errors will be logged 3 Diagnostic messages debug messages and errors will be logged 4 For Cache Refresh Time enter the number of seconds that items should remain in the SSO Agent cache The default is 60 seconds the range is 30 600 seconds For more information see About the SSO Agent cache on page 8 and Using the SSO Agent cache on pa...

Page 28: ...th all Query Source methods 8 Depending on the selected Query Source method additional options are displayed See Configuring NETAPI and WMI methods on page 37 or Configuring the DC security log method on page 40 for information about these options 9 For Configuration File if not using the default file or path enter the custom path and name of the configuration file The default is C Program Files x...

Page 29: ...og entries fetched from each domain controller Viewing LogWatcher Information in Users and Hosts Page The Users and Hosts page shows the list of DC LogWatcher s that are communicating with DSC and the time of the last packet received from each DC LogWatcher It also displays the total number of logon and logoff packets received from DC LogWatcher s Figure 3 Actions Users and Hosts page To use the U...

Page 30: ...ctions Diagnostic Tool page To display and use the Diagnostic Tool 1 In the DSC Configuration Tool select SonicWALL SSO Agent in the left pane and then navigate to the Actions Diagnostic Tool page The Diagnostic Tool page is displayed 2 Select one of the following from the Query Source drop down list WMI NETAPI NETAPI Workstation Info DC Security Logs All Users 3 In the IP Address field type in th...

Page 31: ...uld be run with a domain administrator account You can set up an account name and password on this page Figure 5 Actions Service Logon User page Starting and stopping the Windows service The Action Start Service and Action Stop Service pages provide a way to start and stop the Windows service for the SSO Agent Figure 6 Actions pages for starting stopping Windows service Using the Load Test file Th...

Page 32: ...it to the Support team Fill in the Subject Email ID your email address Name your name and Comment fields and then click Submit About Select About to display a popup window with the installed version number of Directory Services Connector and the SSO Agent Adding Dell SonicWALL appliances Dell SonicWALL network security appliances provide Single Sign On functionality using the SSO Agent to identify...

Page 33: ...the domain controller in the Directory Connector Configuration Tool 1 In the Directory Connector Configuration Tool right click Domain Controllers in the left pane 2 Select Add 3 In the right pane type the domain controller IP address in the IP Address field 4 In the Administrator Username field enter the domain administrator user name 5 In the Administrator password field enter the domain adminis...

Page 34: ...nt communication go to the SonicWALL SSO Agent Properties page Actions Properties in the Configuration tool To configure remote SSO Agents in Directory Services Connector 1 Launch the Dell SonicWALL Directory Services Connector Configuration Tool 2 Expand SonicWALL Directory Connector and SonicWALL SSO Agent in the left column by clicking the buttons ...

Page 35: ...icWALL Directory Services Connector SSO Agents can communicate and share information such as global user databases between agents Also known as Agent Synchronization this feature is available when Query Source is set to DC Security Log with or without NetAPI WMI and when Enable Scanner is selected when Query Source is set to either NETAPI or WMI Agent synchronization can be used between agents whi...

Page 36: ...dden from the Windows Registry To disable caching cache refresh time 0 edit the Registry and set the REFRESHTIME value to 0 If the cache refresh rate is set to zero seconds user information is fetched from the workstation for every request from the Dell SonicWALL appliance See About the SSO Agent cache on page 8 for more information on when the cache can be helpful NOTE This option is only availab...

Page 37: ...ut users that are logged into a workstation including domain users local users and Windows services NETAPI provides faster though possibly slightly less accurate performance WMI provides slower though possibly more accurate performance With NETAPI Windows reports the last login to the workstation whether or not the user is still logged in This means that after a user logs out from his computer the...

Page 38: ...nd the range is 5 100 8 Click Apply to restart the service with the new settings and stay on the page 9 Click OK to restart the service with the new settings and close the page Using the NETAPI WMI scanner The SSO Agent Properties Actions Properties page in the DSC Configuration Tool provides the Enable Scanner option to enable the NETAPI WMI background scanner The scanner works with either NETAPI...

Page 39: ...s in the scanner With Agent to Agent communication smart NETAPI WMI scanners allow the transfer of polling requests between SSO Agents When one agent is overloaded with requests a comparatively free agent can handle the requests The scanner differentiates IP addresses into three queues each with a specified priority New IP request High Priority Succeeded IP Mid Priority Bad IP Low Priority Any IP ...

Page 40: ...n accounts to access Windows or Linux workstations The DC Security Log method can optionally be used with either NETAPI or WMI as a fall back to support user identification from non domain Windows PCs or domain PCs using local accounts Altogether there are four query source options involving the DC security log DC Security Log Users are identified from the domain controller s Windows security log ...

Page 41: ...ble at https support software dell com kb sw9764 Windows Server uses the DC security log to record logon logoff events and or other security related events specified by the system s audit policy If the audit policy is set to record log ins a successful domain log in records the user s user name and computer name in the security log On Windows Server 2003 and above the computer s IP address is also...

Page 42: ...checkbox For information about the NetBIOS option see About NetBIOS mapping support on page 12 10 If multiple SSO Agents exist select the Allow Agent synchronization checkbox to allow Agent to Agent communication For information about Agent synchronization see About Agent to Agent communication on page 7 and Configuring Agent to Agent communication on page 35 11 For Agent sync Port if Allow Agent ...

Page 43: ...O Agent or use the Actions menu to open the Properties page of the SSO Agent 2 Select DC Security Log in the Query Source drop down list 3 Select the Add LogWatcher Support checkbox 4 Enter the LogWatcher Port number default is 2259 5 Enter the LogWatcher Shared Key Table 1 LogWatcher data fields IP_ADDRESS IP address of the SSO Agent PORT_NO Port number of the SSO Agent for receiving the UDP pack...

Page 44: ...dit logon complete the following steps 1 Start the Group Policy Management Console 2 Browse to the following location Forest Domain Name Domains Domain Name Group Policy Objects replacing Domain Name with your domain 3 Right click on Group Policy Objects and select New 4 Give your policy a name and click OK 5 Expand the Group Policy Objects folder and find your new policy Right click on the policy...

Page 45: ...y Settings Local Policies Audit Policy Left click on Audit Policy The policy settings are displayed in the right window 7 Double click Audit account logon events and select Success 8 Click OK 9 Double click Audit logon events and select Success 10 Click OK 11 Double click Audit Directory Service Access and select Success 12 Click OK 13 Close the Group Policy Window ...

Page 46: ...dit the Default Domain Policy Figure 7 Default domain policy Windows Server 2008 To finish the Audit Policy complete the following steps for the screen that follows 1 Double click Audit account logon events and select Success 2 Click OK 3 Double click Audit logon events and select Success 4 Click OK 5 Double click Audit Directory Service Access and select Success 6 Click OK ...

Page 47: ...Dell SonicWALL Directory Services Connector 3 7 Administration Guide 47 7 Double click Audit Object access and select Success Click OK ...

Page 48: ...ications and verifies the server certificate The software on your LDAP server must support TLS To enable Novell eDirectory connections using LDAP over TLS complete the following steps 1 In the Directory Connector Configuration Tool right click eDirectory in the left pane and select Properties 2 In the right pane select Enable Encrypted Port 3 Type the port number into the SSL TLS Port field This c...

Page 49: ...ll software with a valid maintenance contract and to customers who have trial versions The Support Portal provides self help tools you can use to solve problems quickly and independently 24 hours a day 365 days a year In addition the portal provides direct access to product support engineers through an online Service Request system To access the Support Portal go to https support software dell com...