Add computer groups from Microsoft Active Directory

Deep Security can use an LDAP server such as Microsoft Active Directory for computer discovery and to create user accounts and their contacts. Deep Security Manager queries the server, and then displays computer groups according to the structure in the directory.

If you are using Deep Security in FIPS mode, you must import the Active Directory's SSL certificate into Deep Security Manager before connecting the manager with the directory. See Manage trusted certificates.
  1. In Deep Security Manager, click Computers.
  2. In the main pane, click Add > Add Active Directory.
  3. Type the host name or IP address, name, description, and port number of your Active Directory server. Also enter your access method and credentials. Follow these guidelines:

    • The Server Address must be the same as the Common Name (CN) in the Active Directory's SSL certificate if the access method is LDAPS.
    • The Name doesn't have to match the directory's name in Active Directory.
    • The Server Port is Active Directory's LDAP or LDAPS port. The defaults are 389 (LDAP and StartTLS) and 636 (LDAPS).
    • The Username must include your domain name. Example: EXAMPLE/Administrator.
    • If you are using Deep Security in FIPS mode, click Test Connection in the Trusted Certificate section to check whether the Active Directory's SSL certificate has been imported successfully into Deep Security Manager.

    Click Next to continue.

  4. Specify your directory's schema. (If you haven't customized the schema, you can use the default values for a Microsoft Active Directory server.)
    The Details window of each computer in the Deep Security Manager has a "Description" field. To use an attribute of the "Computer" object class from your Active Directory to populate the "Description" field, type the attribute name in the Computer Description Attribute text box.
    Select Create a Scheduled Task to Synchronize this Directory if you want to automatically keep this structure in the Deep Security Manager synchronized with your Active Directory server. A Scheduled Task wizard will appear when you are finished adding the directory. (You can set this up later using the Scheduled Tasks wizard: Administration > Scheduled Tasks.)
  5. Click Next to continue.
  6. When the Manager has imported your directory, it will display a list of computers that it added. Click Finish.

    The directory structure will appear on the Computers page.

Additional Active Directory options

Right-clicking an Active Directory structure gives you options that are not available for non-directory computer groups:

  • Remove Directory
  • Synchronize Now

Remove Directory

When you remove a directory from the Deep Security Manager, you have these options:

  • Remove directory and all subordinate computers/groups from DSM: Remove all traces of the directory.
  • Remove directory but retain computer data and computer group hierarchy: Turn the imported directory structure into identically organized regular computer groups, no longer linked with the Active Directory server.
  • Remove directory, retain computer data, but flatten hierarchy: Remove links to the Active Directory server, discards directory structure, and places all the computers into the same computer group.

Synchronize Now

You can manually trigger Deep Security Manager to synchronize with the Active Directory server to refresh information on computer groups.

You can automate this procedure by creating a scheduled task.

Server certificate usage

If it is not already enabled, enable SSL on your Active Directory server.

Computer discovery can use either SSL or TLS or unencrypted clear text, but importing user accounts (including passwords and contacts) requires authentication and SSL or TLS.

SSL or TLS connections require a server certificate on your Active Directory server. During the SSL or TLS handshake, the server will present this certificate to clients to prove its identity. This certificate can be either self-signed or signed by a certificate authority (CA). If you don't know if your server has a certificate, on the Active Directory server, open the Internet Information Services (IIS) Manager, and then select Server Certificates. If the server doesn't have a signed server certificate, you must install it.

Filter Active Directory objects

When importing Active Directory objects, search filters are available to manage the objects that will be returned. By default the wizard will only show groups. You can add additional parameters to the filter to further refine the selections. For additional information about search filter syntax, refer to https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

Import users and contacts

Deep Security can import user account information from Active Directory and create corresponding Deep Security users or contacts. This offers the following advantages:

  • Users can use their network passwords as defined in Active Directory.
  • Administrators can centrally disable accounts from within Active Directory.
  • Maintenance of contact information is simplified (e.g., email, phone numbers, etc.) by leveraging information already in Active Directory.

Both users and contacts can be imported from Active Directory. Users have configuration rights on the Deep Security Manager. Contacts can only receive Deep Security Manager notifications. The synchronization wizard allows you to choose which Active Directory objects to import as users and which to import as contacts.

To successfully import an Active Directory user account into Deep Security as a Deep Security user or contact, the Active Directory user account must have a userPrincipalName attribute value. (The userPrincipalName attribute corresponds to an Active Directory account holder's "User logon name".)
  1. Click Administration > User Management and then click either Users or Contacts.
  2. Click Synchronize with Directory.
    If this is the first time user or contact information is imported, the server information page is displayed. Otherwise, the Synchronize with Directory wizard is displayed.
  3. Select the appropriate access options, provide logon credentials, and click Next.
  4. Select the groups you want to synchronize by selecting them from the left column and clicking >> to add them to the right column and then click Next.

    You can select multiple groups by holding down shift or control while clicking on them.

  5. Select whether to assign the same Deep Security role to all Directory group members or to assign Deep Security roles based on Directory Group membership and then select a default role from the list and click Next.
  6. If you assigned Deep Security roles based on Directory Group membership, specify the synchronization options for each group and click Next.

    After synchronization, the wizard generates a report showing the number of objects imported.

    Before you finish the synchronization, you can choose to create a scheduled task to regularly synchronize users and contacts.
  7. Click Finish.

Once imported, you will be able to tell the difference between organic (non-imported) Deep Security accounts and imported accounts because you will not be able to change any general information for these accounts.

Keep Active Directory objects synchronized

Once imported, Active Directory objects must be continually synchronized with their Active Directory servers to reflect the latest updates for these objects. This ensures, for example, that computers that have been deleted in Active Directory are also deleted in Deep Security Manager. To keep the Active Directory objects that have been imported to the Deep Security Manager synchronized with Active Directory, it is essential to set up a scheduled task that synchronizes directory data. The wizard to import computers includes the option to create these scheduled tasks.

Alternatively, you can create this task using the Scheduled Task wizard. On-demand synchronization can be performed using the Synchronize Now option for computers and Synchronize with Directory button for users and contacts.

You do not need to create a scheduled task to keep users and contacts synchronized. At log in, Deep Security Manager checks whether the user exists in Active Directory. If the username and password are valid, and the user belongs to a group that has synchronization enabled, the user will be added to Deep Security Manager and allowed to log in.

Disable Active Directory synchronization

You can stop Deep Security Manager from synchronizing with Active Directory for both computer groups and user accounts.

Remove computer groups from Active Directory synchronization

  1. Go to Computers.
  2. Right-click the directory, and select Remove Directory.
  3. Select what to do with the list of computers from this directory when Deep Security Manager stops synchronizing with it:

    • Remove directory and all subordinate computers/groups from Deep Security Manager: Remove this directory's structure.
    • Remove directory but retain computer data and group hierarchy: Keep the existing structure, including its user and role access to folders and computers.
    • Remove directory, retain computer data, but flatten hierarchy: Convert the directory's structure to a flat list of computers inside a group that is named after the directory. The new computer group has the same user and role access as the old structure.
  4. Confirm the action.

Delete Active Directory users and contacts

Unlike when you remove directory queries for computer groups, if you delete the query for users and contacts, all those accounts will be deleted from Deep Security Manager. As a result, you can't delete while logged into Deep Security Manager with a user account that was imported from the directory server. Doing so will result in an error.

  1. On either Users or Contacts, click Synchronize with Directory.
  2. Select Discontinue Synchronization and then click OK.
  3. Click Finish.