Add computer groups from Microsoft Active Directory

Does not apply to Deep Security as a Service

Deep Security can use an LDAP server such as Microsoft Active Directory for computer discovery and to create user accounts and their contacts. Deep Security Manager queries the server, and then displays computer groups according to the structure in the directory.

  1. Right-click Computers in the navigation panel and select Add Active Directory
  2. Type a name and description for your imported directory (it doesn't have to match the directory's name in Active Directory), the IP and port number of the Active Directory server, and then your access method and credentials.
    You must include your domain name with your username in the User Name field.
    Click Next to continue.
  3. Specify your directory's schema. (If you haven't customized the schema, you can use the default values for a Microsoft Active Directory server.)
    The Details window of each computer in the Deep Security Manager has a "Description" field. To use an attribute of the "Computer" object class from your Active Directory to populate the "Description" field, type the attribute name in the Computer Description Attribute text box.
    Select Create a Scheduled Task to Synchronize this Directory if you want to automatically keep this structure in the Deep Security Manager synchronized with your Active Directory server. A Scheduled Task wizard will appear when you are finished adding the directory. (You can set this up later using the Scheduled Tasks wizard: Administration > Scheduled Tasks.)
  4. Click Next to continue.
  5. When the Manager has imported your directory, it will display a list of computers that it added. Click Finish.

    The directory structure will appear on the Computers page.

Additional Active Directory options

Right-clicking an Active Directory structure gives you options that are not available for non-directory computer groups:

  • Remove Directory
  • Synchronize Now

Remove Directory

When you remove a directory from the Deep Security Manager, you have these options:

  • Remove directory and all subordinate computers/groups from DSM: Remove all traces of the directory.
  • Remove directory but retain computer data and computer group hierarchy: Turn the imported directory structure into identically organized regular computer groups, no longer linked with the Active Directory server.
  • Remove directory, retain computer data, but flatten hierarchy: Remove links to the Active Directory server, discards directory structure, and places all the computers into the same computer group.

Synchronize Now

You can manually trigger Deep Security Manager to synchronize with the Active Directory server to refresh information on computer groups.

You can automate this procedure by creating a scheduled task.

Server certificate usage

If it is not already enabled, enable SSL on your Active Directory server.

Computer discovery can use either SSL / TLS or unencrypted clear text, but importing user accounts (including passwords and contacts) requires authentication and SSL / TLS.

SSL / TLS requires a server certificate on your Active Directory server. During the SSL / TLS handshake, the server will present this certificate to clients to prove its identity. This certificate can be either self-signed or signed by a certificate authority (CA). If you don't know if your server has a certificate, on the Active Directory server, open the Internet Information Services (IIS) Manager, and then select Server Certificates. If the server doesn't have a signed server certificate, you must install it.

Filtering Active Directory objects

When importing Active Directory objects, search filters are available to manage the objects that will be returned. By default the wizard will only show groups. You can add additional parameters to the filter to further refine the selections. For additional information about search filter syntax, refer to http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

Importing users and contacts

Deep Security can import user account information from Active Directory and create corresponding Deep Security users or contacts. This offers the following advantages:

  • Users can use their network passwords as defined in Active Directory.
  • Administrators can centrally disable accounts from within Active Directory.
  • Maintenance of contact information is simplified (e.g., email, phone numbers, etc.) by leveraging information already in Active Directory.

Both users and contacts can be imported from Active Directory. Users have configuration rights on the Deep Security Manager. Contacts can only receive Deep Security Manager notifications. The synchronization wizard allows you to choose which Active Directory objects to import as users and which to import as contacts.

To successfully import an Active Directory user account into Deep Security as a Deep Security user or contact, the Active Directory user account must have a userPrincipalName attribute value. (The userPrincipalName attribute corresponds to an Active Directory account holder's "User logon name".)

To import users or contacts:

  1. Click Administration > User Management and then click either Users or Contacts.
  2. Click Synchronize with Directory.
    If this is the first time user or contact information is imported, the server information page is displayed. Otherwise, the Synchronize with Directory wizard is displayed.
  3. Select the appropriate access options, provide logon credentials, and click Next.
  4. Select the groups you want to synchronize by selecting them from the left column and clicking >> to add them to the right column and then click Next.

    You can select multiple groups by holding down shift or control while clicking on them.

  5. Select whether to assign the same Deep Security role to all Directory group members or to assign Deep Security roles based on Directory Group membership and then select a default role from the list and click Next.
  6. If you assigned Deep Security roles based on Directory Group membership, specify the synchronization options for each group and click Next.

    After synchronization, the wizard generates a report showing the number of objects imported.

    Before you finish the synchronization, you can choose to create a scheduled task to regularly synchronize users and contacts.

  7. Click Finish.

Once imported, you will be able to tell the difference between organic (non-imported) Deep Security accounts and imported accounts because you will not be able to change any general information for these accounts.

Keeping Active Directory objects synchronized

Once imported, Active Directory objects must be continually synchronized with their Active Directory servers to reflect the latest updates for these objects. This ensures, for example, that computers that have been deleted in Active Directory are also deleted in Deep Security Manager. To keep the Active Directory objects that have been imported to the Deep Security Manager synchronized with Active Directory, it is essential to set up a scheduled task that synchronizes directory data. The host importation wizard includes the option to create these scheduled tasks.

It is also possible to create this task using the Scheduled Task wizard. On-demand synchronization can be performed using the Synchronize Now option for hosts and Synchronize with Directory button for users and contacts.

You do not need to create a scheduled task to keep users / contacts synchronized. At log in, Deep Security Manager checks whether the user exists in Active Directory. If the username and password are valid, and the user belongs to a group that has synchronization enabled, the user will be added to Deep Security Manager and allowed to log in.

Disabling Active Directory synchronization

You can stop Deep Security Manager from synchronizing with Active Directory for both computer groups and user accounts.

Removing computer groups from Active Directory synchronization

  1. Go to Computers.
  2. Right-click the directory, and select Remove Directory.
  3. Select a removal option:

    • Remove directory and all subordinate computers / groups from Deep Security Manager: All host records will be removed from the computers list
    • Remove directory but retain computer data and group hierarchy: The existing Active Directory structure will be retained, but this will no longer be synchronized with Active Directory. Since the structure is unaffected, user and role access to folders and hosts will be retained
    • Remove directory, retain computer data, but flatten hierarchy: Host records will be stripped of their original hierarchy, but will all be stored in a group named after the directory. User and role access to the directory will be transferred to the group so you can still access the hosts.
  4. Confirm the action.

Deleting Active Directory users and contacts

Unlike when you remove directory queries for computer groups, if you delete the query for users and contacts, all those accounts will be deleted from Deep Security Manager. As a result, you can't delete while logged into Deep Security Manager with a user account that was imported from the directory server. Doing so will result in an error.

  1. On either Users or Contacts, click Synchronize with Directory.
  2. Select Discontinue Synchronization then click OK.
  3. Click Finish.