Download  Print this page

Dell SonicWALL Administration Manual

Directory services connector 3.7
Hide thumbs

Advertisement

Dell SonicWALL™ Directory Services
Connector 3.7
Administration Guide

Advertisement

Table of Contents
loading

  Also See for Dell SonicWALL

  Summary of Contents for Dell SonicWALL

  • Page 1 Dell SonicWALL™ Directory Services Connector 3.7 Administration Guide...
  • Page 2 The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT...
  • Page 3: Table Of Contents

    Adding Dell SonicWALL appliances ........32...
  • Page 4 Contacting Dell ........
  • Page 5: About This Guide

    About this guide Introduction Welcome to the Dell SonicWALL™ Directory Services Connector Administration Guide. It provides information on installing and configuring the Dell SonicWALL Single Sign-On agent and other elements of Directory Services Connector (DSC). Always check https://support.software.dell.com for the latest version of this guide as well as other Dell SonicWALL products and services documentation.
  • Page 6: Directory Services Connector Overview

    Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged access to multiple network resources with a single workstation login. Dell SonicWALL security appliances provide SSO functionality using the Dell SonicWALL Single Sign-On Agent (SSO Agent) to identify user activity based on the workstation IP address.
  • Page 7: About Agent-To-Agent Communication

    Dell SonicWALL Terminal Services Agent (TSA) to communicate with Dell SonicWALL SSO. The TSA is not included as part of this release. For more information about the TSA, see the latest Terminal Services Agent Release Notes, the latest SonicOS Administration Guide and the SonicOS Enhanced Single Sign-On Feature Module, available on https://support.software.dell.com.
  • Page 8: About The Sso Agent Cache

    Registry and set the REFRESHTIME value to 0. If the cache refresh rate is set to zero seconds, user information is fetched from the workstation for every request from the Dell SonicWALL appliance. The appliance default is to time out after 10 seconds and to retry up to six times, so the agent receives multiple requests from it if a NetAPI request is slow to complete.
  • Page 9: About Single Sign-On With Active Directory Or Ldap

    Content Filtering and Application Firewall to control what they are allowed to access. User names learned through SSO are reported in the Dell SonicWALL appliance logs of traffic and events from the users. The configured inactivity timer applies with SSO but the session limit does not, though users who are logged out are automatically and transparently logged back in when they send further traffic.
  • Page 10: About Single Sign-On With Novell Edirectory

    To use Dell SonicWALL SSO, it is required that the SSO Agent be installed on a server that can communicate with the Active Directory server and with clients and the Dell SonicWALL security appliance directly using the IP address or using a path, such as VPN.
  • Page 11: About User Identification Methods

    The Dell SonicWALL appliance queries the SSO Agent. The SSO Agent queries the eDirectory server about the user. The SSO Agent communicates the user's content filtering policies to the Dell SonicWALL appliance, based on the user's individually assigned policies and any policies inherited from groups and from organizational units.
  • Page 12 LogWatcher is a Windows service that runs on each Domain Controller. Its fetches the security event log, parses the log events, and sends user logon/logoff information to the SSO Agent and/or the Dell SonicWALL network security appliance. LogWatcher is most suitable in a distributed DC environment where the DC logs are replicated across multiple Domain Controllers.
  • Page 13: About Using Samba On Linux/Unix Clients

    About using Samba on Linux/UNIX clients Samba 3.0 or newer can be installed on Linux/UNIX clients for use with Dell SonicWALL SSO. Samba is a software package used on Linux/UNIX machines to give them access to resources in a Windows domain (by way of Samba's smb client utility).
  • Page 14: Sonicwall Appliance/Firmware Compatibility

    SonicWALL appliance/firmware compatibility SonicWALL Directory Services Connector is a supported release for use with the following SonicWALL platforms: • SuperMassive 9200 / 9400 / 9600 running SonicOS 6.1 and above • SuperMassive E10200 / E10400 / E10800 running SonicOS 6.0.x •...
  • Page 15: Domain Controller Server Compatibility

    SSO Agent platform compatibility SonicWALL Directory Services Connector and SSO Agent are supported for installation on 32-bit and 64-bit Windows systems running the following operating systems: •...
  • Page 16: Client Compatibility

    In these environments, you can use the Dell SonicWALL Terminal Services Agent (TSA) to communicate with the SonicOS Single Sign-On feature. The TSA is not included as part of Dell SonicWALL Directory Services Connector. For more information about the TSA, see the latest Terminal Services Agent Release Notes and the latest SonicOS Administration Guide, available at: https://support.software.dell.com/.
  • Page 17: Installing Directory Services Connector

    If prompted, install the Microsoft .NET framework. In the Welcome screen, click Next to continue the installation. In the License Agreement screen, accept the terms of the license agreement, and then click Next. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 18 Directory Connector, select the application use privileges, and then click Next. Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Change, select the folder, and click Next.
  • Page 19 On the Custom Setup page, the installation icon is displayed by default next to the SonicWALL SSO Agent feature. Click Next. In the next screen, click Install to install Directory Connector. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 20 Password field, and the domain name of the account in the Domain Name field. Click Next. 11 Enter the IP address of your SonicWALL security appliance in the SonicWALL Appliance IP field. Type the port number for the same appliance in the Dell SonicWALL Appliance Port field. Enter a shared key (a hexadecimal number from 1 to 16 digits in length) in the Shared Key field, using an even number of digits.
  • Page 21: Installing Dsc With Novell Edirectory

    In the Customer Information screen, enter your username and the name of the company that owns the workstation where you are installing the SSO Agent, select the application use privileges, and then click Next. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 22 Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Change, select the folder, and click Next. On the Custom Setup page, select the Novell eDirectory Support feature for installation. Click Next.
  • Page 23 • SonicWALL Appliance IP — Type in the Dell SonicWALL appliance IP address. • SonicWALL Appliance Port — Type in the port used by the SSO Agent to communicate with the Dell SonicWALL appliance. The default port is 2258. •...
  • Page 24 12 When the installation is complete, optionally select Launch SonicWALL Directory Connector to launch the Dell SonicWALL Directory Services Connector, and then click Finish. For more information about configuring and using Dell SonicWALL SSO with Novell eDirectory support, see the SonicOS Single sign-on Feature Module and the latest SonicOS Administration Guide, available on https://support.software.dell.com/release-notes-product-select.
  • Page 25: Using And Configuring Directory Services Connector

    The View menu in the Directory Connector Configuration Tool provides options for displaying or hiding the toolbar and status bar. Click View > ToolBar to toggle the toolbar display. If it is currently hidden, it will be displayed. If currently displayed, it will be hidden. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 26: Using The Actions Menu

    It also provides options for managing the SSO Agent Windows service. Figure 1. Actions menu with SonicWALL SSO Agent selected All of the Actions menu options are also available on the right-click menu for the SonicWALL SSO Agent from within the Configuration Tool. See the following: •...
  • Page 27 Figure 2. Actions > Properties page To configure the SSO Agent settings: In the DSC Configuration Tool, select SonicWALL SSO Agent in the left pane and then navigate to the Actions > Properties page. For Host IP, type in the IP address of the machine with the SSO Agent installed.
  • Page 28: Viewing Logs

    Viewing logs To view the SSO Agent log messages: In the DSC Configuration Tool, select SonicWALL SSO Agent in the left pane and then navigate to the Actions > View Logs page. The log viewer page is displayed. Log entries from the last 10 minutes are shown. For entries older than this, you can check Applicaton Logs from the Windows Event Viewer.
  • Page 29 Figure 3. Actions > Users and Hosts page To use the Users and Hosts page: In the DSC Configuration Tool, select SonicWALL SSO Agent in the left pane and then navigate to the Actions > Users and Hosts page. To refresh the page, click Refresh.
  • Page 30 Figure 4. Actions > Diagnostic Tool page To display and use the Diagnostic Tool: In the DSC Configuration Tool, select SonicWALL SSO Agent in the left pane and then navigate to the Actions > Diagnostic Tool page. The Diagnostic Tool page is displayed.
  • Page 31 The Load Test feature allows you to preload a static set of IP-to-username mappings and static user configuration in a user-defined test file. The tester can create a file named static.csv in the program installation directory, which by default is C:\Program Files\Dell SonicWALL\SSOAgent. The following is an example of a static.csv: 10.0.0.0,user0 10.0.0.1,user1 10.0.0.2,domain\user2...
  • Page 32: Using The Help Menu

    To add a Dell SonicWALL network security appliance in Directory Services Connector: Launch the Configuration Tool. Expand SonicWALL Directory Connector and SonicWALL SSO Agent in the left column by clicking the + buttons. Right-click Dell SonicWALL Appliances and select Add.
  • Page 33: Adding Domain Controllers

    The Fetch Start Time is the start time from which the agent starts fetching all event logs from the DC during the service start up. It fetches all logs for a specified time until the service start time. Click Test Connection to check the connectivity to the domain controller. Click OK. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 34: Configuring Remote Sso Agents

    To configure remote SSO Agents in Directory Services Connector: Launch the Dell SonicWALL Directory Services Connector Configuration Tool. Expand SonicWALL Directory Connector and SonicWALL SSO Agent in the left column by clicking the + buttons. Dell SonicWALL Directory Services Connector 3.7...
  • Page 35: Configuring Agent-To-Agent Communication

    Click OK. Configuring Agent-to-Agent communication Dell SonicWALL Directory Services Connector SSO Agents can communicate and share information (such as global user-databases) between agents. Also known as Agent Synchronization, this feature is available when Query Source is set to DC Security Log with or without NetAPI/WMI, and when Enable Scanner is selected when Query Source is set to either NETAPI or WMI.
  • Page 36: Using The Sso Agent Cache

    Registry and set the REFRESHTIME value to 0. If the cache refresh rate is set to zero seconds, user information is fetched from the workstation for every request from the Dell SonicWALL appliance. About the SSO Agent cache on page for more information on when the cache can be helpful.
  • Page 37: Configuring Netapi And Wmi Methods

    To change the cache refresh time in the SSO Agent: In the DSC Configuration Tool, right-click the SonicWALL SSO Agent in the left pane and select Properties. In the right pane, enter the desired number of seconds in the Cache Refresh Time field. The default is 60 seconds, with a range of 30–600 seconds.
  • Page 38: Using The Netapi/Wmi Scanner

    IP address in its cache. If the IP address is not present in the cache, the SSO Agent treats the request as the first request for that IP address and adds the address to its scanner queue for further processing. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 39: Bad Ip Address Handling By Scanner

    IP addresses that are not polled from the appliance. The session time can be modified from Windows registry settings using the registry value “SESIONTIME.” Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 40: Non-Responsive Workstation Handling

    Using DC Security Log Dell SonicWALL Directory Services Connector provides an option for the SSO Agent to identify logged in user information from the domain controller's Windows security log (DC security log or WSL). When using DC security log method as the query source, Directory Services Connector fetches security logs from the configured domain controller.
  • Page 41 IP address is also logged. To configure the DC Security Log method in Directory Services Connector: In the Directory Connector Configuration Tool, right-click SonicWALL SSO Agent in the left panel. Select Properties. For the options above Query Source, see Configuring SSO Agent settings on Actions >...
  • Page 42: Installing And Configuring Logwatcher

    Services Connector. The administrator must open the install folder and change the DCConfig.xml as described below. A readme.txt file is launched at the end of the installation which describes this procedure. Logon Audit must be enabled on the domain controller. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 43 Enter the LogWatcher Shared Key. NOTE: The SSO port number and shared key in the DCConfig.xml file on the Domain Controller must be the same as the LogWatcher Port number and LogWatcher Shared Key. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 44: Setting A Group Policy To Enable Audit Logon On Windows Server 2003

    Right-click on Group Policy Objects and select New. Give your policy a name and click OK. Expand the Group Policy Objects folder and find your new policy. Right-click on the policy and select Edit... Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 45 Double-click Audit account logon events and select Success. Click OK. Double-click “Audit logon events” and select Success. 10 Click OK. 11 Double-click “Audit Directory Service Access” and select Success. 12 Click OK. 13 Close the Group Policy Window. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 46: Setting A Group Policy To Enable Audit Logon On Windows Server 2008

    To finish the Audit Policy, complete the following steps for the screen that follows: Double-click Audit account logon events and select Success. Click OK. Double-click Audit logon events and select Success. Click OK. Double-click Audit Directory Service Access and select Success. Click OK. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 47 Double-click Audit Object access and select Success. Click OK. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 48: Enabling Ldap Over Tls With Novell Edirectory

    In the Directory Connector Configuration Tool, right-click eDirectory in the left pane and select Properties. In the right pane, select Enable Encrypted Port. Type the port number into the SSL/TLS Port field. This can be port 636 or another configured port. Click OK. Dell SonicWALL Directory Services Connector 3.7 Administration Guide...
  • Page 49: About Dell

    Technical support resources Technical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year.