Managing Active Directory Scanners

If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units (OUs) and computers from multiple AD domains into the Harmony Browse. After the objects are imported, you can assign policies.

When you first log in to Harmony Browse, the AD tree is empty. To populate the tree with computers from the Active Directory, you must configure the Directory ScannerClosed A component of Endpoint Security Management Server that scans the defined Active Directory and copies the existing Active Directory structure to the server database..

The Directory Scanner scans the defined Active Directory and fills the AD table in the Asset Management view, copying the existing Active Directory structure to the server database.

Harmony Browse supports the use of multiple AD scanners per Active Directory domain, and multiple domains per service.

Required Permissions to Active Directory:

For the scan to succeed, the user account related to each Directory Scanner instance requires full read permissions to:

  • The Active Directory root.

  • All child containers and objects.

  • The deleted objects container.

An object deleted from the Active Directory is not immediately erased, but moved to the Deleted Objects container.

Comparing objects in the AD with those in the Deleted objects container gives a clear picture of network resources (computers, servers, users, groups) that have changed since the last scan.

The Active Directory Scanner does not scan Groups of type "Distribution".

Organization Distributed Scan

Organization Distributed Scan is enabled by default. You can see its configured settings in the Endpoint Settings view > AD Scanners.

Full Active Directory Sync

In the Full Active Directory Sync, one Endpoint client is defined as the Active Directory scanner, it collects the information and sends it to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

To download Endpoint client to be defined as an AD scanner:

  1. Go to the Overview tab.

  2. Click on the Download button in the blue bar.

  3. Click on the Download button under the Client for AD integration.

To configure the AD scanner:

  1. In the left navigation panel, click Asset Management.

  2. In the left pane, click Computers.

  3. In the top toolbar, click Computer Actions > in the section General Actions, click Directory Scanner.

    The Scanner window opens.

  4. Fill in this information:

SECTION

REQUIRED INFORMATION

Connect from computer

  • Computer name - Select the computer name which the AD integration client was installed on. This computer will be used as your AD scanner.

AD Login details

  • User name (AD) - Enter the user name to access the Active Directory.

  • Domain name - Enter the domain of the Active Directory.

  • Password (AD) - Enter the password to access the Active Directory.

AD Connection

  • Domain controller - Enter the name of the Domain controller.

  • Port - Enter the number of the listening port on the Domain controller.

  • Use SSL communication (recommended) - Select this checkbox if you want the connection between the AD scanner to the Domain Controller to be over SSL.

  • LDAP Path - The address of the scanned directory server.

  • Sync AD every - Configure the interval at which the scanning will be performed

 

When you create a new AD scanner, the Organization Directory Scan is automatically disabled.

To see information on your activated AD scanners, go to the Endpoint Settings view.

Note - You can also reach scanner configuration form through the Endpoint Settings view > Setup full Active Directory sync.