Print Download PDF Send Feedback

Previous

Next

Acquiring Identities for Active Directory Users

Organizations that use Microsoft Active Directory can use AD Query to acquire identities.

When you set the AD Query option to get identities, you are configuring clientless employee access for all Active Directory users. To enforce access options, create rules in the Firewall Rule that contain Access Role objects. An Access Role object defines users, computers and network locations as one object.

Active Directory users that log in and are authenticated will have seamless access to resources based on Firewall rules.

Scenario: Laptop Access

James Wilson is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the Security Gateway policy permits access only from James' desktop, which is assigned a static IP address 10.0.0.19.

He received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets James Wilson access the HR Web Server from his laptop with a static IP (10.0.0.19).

Name

Source

Destination

VPN

Service

Action

Track

Jwilson to HR Server

Jwilson_PC

HR_Web_Server

Any Traffic

Any

accept

Log

He wants to move around the organization and continue to have access to the HR Web Server.

To make this scenario work, the IT administrator does these steps:

  1. Enables Identity Awareness on a Security Gateway, selects AD Query as one of the Identity Sources and installs the policy.
  2. Checks the logs in the Logs & Monitor view of SmartConsole to make sure the system identifies James Wilson in the logs.
  3. Adds an Access Role object to the Firewall Rule Base that lets James Wilson access the HR Web Server from any computer and from any location.
  4. Sees how the system tracks the actions of the Access Role in in the Logs & Monitor view of SmartConsole.

User Identification in the Logs

The logs in the Logs & Monitor view of SmartConsole show that the system recognizes James Wilson as the user behind IP 10.0.0.19. This log entry shows that the system maps the source IP to the user James Wilson from CORP.ACME.COM. This uses the identity acquired from AD Query.
Note - AD Query maps the users based on AD activity. This can take some time and depends on user activity. If James Wilson is not identified (the IT administrator does not see the log), he should lock and unlock the computer.

Using Access Roles

To let James Wilson access the HR Web Server from any computer, change the rule in the Access Control Policy Rule Base. Create an Access Role for James Wilson, from any network and any computer. In the rule, change the source object to be the Access Role object (for example, HR_Partner).

Name

Source

Destination

VPN

Services & Applications

Action

Track

HR Partner Access

HR_Partner

HR_Web_Server

Any

Any

accept

None

Install the policy. You can remove the static IP address from the laptop of James Wilson and give it a dynamic IP address. The Security Gateway James Wilson, defined in the HR_Partner Access Role, access the HR Web server from his laptop with a dynamic IP address.