Managing Active Directory Scanners
If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units (OUs) and computers from multiple AD domains into the 
A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data.
When you first log in to the Endpoint Web Management Console, the AD tree is empty. To populate the tree with computers from the Active Directory, you must configure the Directory Scanner A component of Endpoint Security Management Server that scans the defined Active Directory and copies the existing Active Directory structure to the server database..
The Directory Scanner scans the defined Active Directory and fills the AD table in the
Harmony Endpoint Management Platform supports the use of multiple AD scanners per Active Directory domain, and multiple domains per service.
Required Permissions to Active Directory:
For the scan to succeed, the user account related to each Directory Scanner instance requires full read permissions to:
-
The Active Directory root.
-
All child containers and objects.
-
The deleted objects container.
An object deleted from the Active Directory is not immediately erased, but moved to the Deleted Objects container.
Comparing objects in the AD with those in the Deleted objects container gives a clear picture of network resources (computers, servers, users, groups) that have changed since the last scan.
The Active Directory Scanner does not scan Groups of type "Distribution".
Required Configuration for Domains:
On the Active Directory server, set the Groups Scope to Domain Local only.
The Endpoint Web Management Console supports two methods of Active Directory scanning:
-
Organization distributed scan
-
Full Active Directory sync
Organization Distributed Scan
Organization Distributed Scan is enabled by default. You can see its configured settings in the Endpoint Settings view > AD Scanners.
Each Endpoint client sends its path to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
By default, each Endpoint client sends its path every 120 minutes. In this method, only devices with Harmony Endpoint installed report their paths, other devices with do not report their information.
Full Active Directory Sync
In the Full Active Directory Sync, one Endpoint client is defined as the Active Directory scanner, it collects the information and sends it to the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
To configure the AD scanner:
-
In the
The Scanner window opens.
- Fill in this information:
Computer name - Select a computer as your AD scanner.
AD Login Details - Enter the user name and password information to access the Active Directory.
Note - xxx
Domain controller - Enter the name of the Domain controller and the port for the scan.
Use SSL communication (recommended) - Select this checkbox if you want the connection between the AD scanner to the Domain Controller to be over SSL.
LDAP path - The address of the scanned directory server.
Sync AD every - Select the interval at which the scanning will be performed
When you create a new AD scanner, the Organization Directory Scan is automatically disabled.
To see information on your activated AD scanners, go to the Endpoint Settings view.
|
|
Note - You can also reach scanner configuration form through the Endpoint Settings view > Setup full Active Directory sync. |