Organizations that use Microsoft Active Directory can use AD Query to acquire identities.
When you set the AD Query option to get identities, you are configuring clientless employee access for all Active Directory users. To enforce access options, create rules in the Firewall Rule that contain Access Role objects. An Access Role object defines users, computers and network locations as one object.
Active Directory users that log in and are authenticated will have seamless access to resources based on Firewall rules.
James Wilson is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the Security Gateway policy permits access only from James' desktop, which is assigned a static IP address 10.0.0.19.
He received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets James Wilson access the HR Web Server from his laptop with a static IP (10.0.0.19).
Name |
Source |
Destination |
VPN |
Service |
Action |
Track |
---|---|---|---|---|---|---|
Jwilson to HR Server |
Jwilson_PC |
HR_Web_Server |
|
|
|
|
He wants to move around the organization and continue to have access to the HR Web Server.
To make this scenario work, the IT administrator does these steps:
The logs in the Logs & Monitor view of SmartConsole show that the system recognizes James Wilson as the user behind IP 10.0.0.19. This log entry shows that the system maps the source IP to the user James Wilson from CORP.ACME.COM. This uses the identity acquired from AD Query.
Note - AD Query maps the users based on AD activity. This can take some time and depends on user activity. If James Wilson is not identified (the IT administrator does not see the log), he should lock and unlock the computer.
To let James Wilson access the HR Web Server from any computer, change the rule in the Access Control Policy Rule Base. Create an Access Role for James Wilson, from any network and any computer. In the rule, change the source object to be the Access Role object (for example, HR_Partner).
Name |
Source |
Destination |
VPN |
Services & Applications |
Action |
Track |
---|---|---|---|---|---|---|
HR Partner Access |
HR_Partner |
HR_Web_Server |
|
|
|
|
Install the policy. You can remove the static IP address from the laptop of James Wilson and give it a dynamic IP address. The Security Gateway James Wilson, defined in the HR_Partner Access Role, access the HR Web server from his laptop with a dynamic IP address.