Configuring Identity Awareness for a Domain Forest (Subdomains)

Create a separate LDAP Account Unit for each domain in the forest (subdomain). You cannot add domain controllers from two different subdomains into the same LDAP Account Unit.

You can use the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Configuration Wizard to make one specified subdomain. This automatically creates an LDAP Account Unit that you can easily configure to have more settings. You must manually create all other domains that you want Identity Awareness to relate to, from Servers and OPSEC in the Objects tree > Servers > New > LDAP Account Unit.

When you create an LDAP Account Unit for each domain in the forest

  1. Make sure the username is one of these:

    • A Domain administrator account that is a member of the Domain Admins group in the subdomain. Enter the username as subdomain\user.

    • An Enterprise administrator account that is a member of the Enterprise Admins group in the domain. If you use an Enterprise administrator, enter the username as domain\user.

      For example, if the domain is ACME.COM, the subdomain is SUB.ACME.COM, and the administrator is John_Doe:

      • If the admin is a Domain administrator, Username is: SUB.ACME.COM\John_Doe

      • If the admin is an Enterprise administrator, Username is: ACME.COM\John_Doe

      Note - In the wizard, this is the Username field. In the LDAP Account Unit, go to LDAP Server Properties tab > Add > Username.

  2. In LDAP Server Properties tab > Add > Login DN, add the login DN.

  3. In Objects Management tab > Branches in use, edit the base DN

    from: DC=DOMAIN_NAME,DC=DOMAIN_SUFFIX

    to: DC=SUB_DOMAIN_NAME,DC=DOMAIN_NAME,DC=DOMAIN_SUFFIX

    For example, change DC=ACME,DC=local to DC=SUB,DC=ACME,DC=local