目次

Chapter 7 Using the SonicWALL ADConnector


In this Chapter

"Content Security Manager Active Directory Integration"
"Installing the SonicWALL ADConnector"
"Starting the ADConnector Configuration Tool"
"Configuring the SonicWALL Content Security Manager for Active Directory"
"Configuring the SonicWALL Content Security Manager for Active Directory"
"Applying a Policy in the ADConnector"

Content Security Manager Active Directory Integration

Microsoft Active Directory maintains information about users, user groups and other resources within your network. This information includes items like authentication data, permissions, and specific attributes from various applications. To provide direct, single-sign-on integration with Microsoft’s Active Directory, the SonicWALL Content Security Manager product includes the SonicWALL ADConnector to provide an interface between the SonicWALL Content Security Manager filtering policies and Active Directory.

The SonicWALL ADConnector is separate program that you must install on a Windows station where you manage Microsoft Active Directory. You then use the ADConnector as a Snap-In to the Microsoft Management Console (MMC). Once you install the SonicWALL ADConnector, it consists of two processes:

SonicWALL AD Configuration Tool provides the user interface for navigating users and user groups and managing the content filtering policies assigned to users and user groups.
SonicWALL ADConnector Service runs as a background service and provides the communication between the SonicWALL Content Security Manager and Active Directory.

The ADConnector enumerates the domain on which it has been installed, and provides the ability to apply content filtering policies to AD users and groups. In the case of the SonicWALL Content Security Manager, Active Directory stores a list of content filtering policies and policies that apply to individual users, user groups, computers, and organizational units. The SonicWALL ADConnector provides communication between the content security appliance and Active directory to associate policies or policies on the SonicWALL Content Security Manager with these objects in Active Directory.

To assign a policy to a user, with the SonicWALL ADConnector, select the user in Active Directory. The ADConnector provides the list of content filtering policies from the content filtering appliance. You can then select a policy to assign to the user in Active Directory. When a user requests an Internet resource, the SonicWALL Content Security Manager requests the user information from the SonicWALL ADConnector. The ADConnector retrieves the user and associated policy from Active Directory and passes that information back to the content security appliance. The content security appliance then applies the rules in the associated policy to the user, based on the definition of the policy within the content security appliance.

Installing the SonicWALL ADConnector

Alert: The following instructions assume Active Directory is fully operational on your network.
Note: If you are not using Active Directory, the SonicWALL Content Security Manager includes a built-in user and group authentication database. Refer to Chapter 6, Configuring User Authentication for instructions on configuring local users and groups on the SonicWALL Content Security Manager.

ADConnector Requirements

The Windows PC that you install the SonicWALL ADConnector must meet the following requirements:

• A direct or routable access to both the Active Directory Domain Controller and the SonicWALL
Content Security Manager
• An always on computer, so that the SonicWALL Content Security Manager appliance can communicate with the Windows computer as needed.
• A computer that belongs to the domain against which the authentication occurs.
• Administrative privileges on the local machine. The account must also have the “Log on as a service” privilege, which even the 'administrator' account does not have by default. To add this privilege, in Windows, use “dompol.msc” (Domain Security Policy), “dcpol.msc” (Domain Controller Security Policy), or “secpol.msc” (Local Security Policy) settings manager, as appropriate. Under Local Policies > User Rights Assignment select the 'Log on as service' policy, and make sure the account you are using to install the ADConnector service has this privilege (either implicitly or explicitly).

Information You Need to Configure ADConnector

Use this information to install and configure the SonicWALL ADConnector:

• Content Security Manager X0/X1 interface IP address: ______________________
• Content Security Manager ADConnector configuration port number: ___________________
• Content Security Manager ADConnector configuration shared secret: ___________________
The shared secret must be a 16-digit hexadecimal number, for example: 0123456789abcdef.
• IP address of the ADConnector workstation: ______________________
• Workstation administrator account name: ______________________
• AD Domain administrator account name: ______________________
• Password for the AD Domain Administrator account: ______________________
Alert: Do not install the SonicWALL ADconnector directly on the Active Directory Domain Controller.

Installing the ADConnector Application

The SonicWALL ADConnector installation wizard installs both the SonicWALL AD Configuration Tool and the SonicWALL ADConnector Service.

1. Download the SonicWALL ADConnector application from your mySonicWALL.com account at <https://www.mysonicwall.com>.
2. Launch the ADConnector setup program.
3. You may be prompted to install the Microsoft.NET 1.1 Framework. Click Yes.
4. You may also see a Security Warning dialog box asking if you want to accept a certificate from InstallShield Software Corporation. SonicWALL uses InstallShield® to install the ADConnector software. Click Yes.
5. If you are installing the Microsoft.NET Framework, select I Agree in the Microsoft.NET License Agreement dialog box, then click Install. When Microsoft.NET installation is complete, the SonicWALL ADConnector installation wizard starts.
6. The Welcome page is displayed for the SonicWALL ADConnector. Click Next.
7. In the License Agreement page, click I accept the terms in the license agreement if you want to continue with the installation. Click Next.
8. On the Customer Information page, enter your name and organization. Click Next
9. On the Destination Folder page, use the default directory or click on the Change button to specify another directory to install the program files. Click Next.
10. On the Ready to Install the Program page, click Install.
11. On the ADConnector Configuration page, enter:
CSM Appliance IP - the IP address of the SonicWALL Content Security Manager
CSM Appliance Port - the UDP port that will be used for communication between the two devices. The default is 2258. This value will also be specified in Directory Services Connector Configuration window in the SonicWALL Content Security Manager management interface.
Shared Key - The DES passphrase is used to encrypt the communication between the devices. The Shared Key must be a 16-digit hexadecimal number, for example: 0123456789abcdef.
12. Click Next.
13. On the ADConnector User Configuration page, enter the following information for accessing the Active Directory domain, and then click Next:
ADConnector Username - An Active Directory domain user account with administrative privileges
ADConnector Password - The password for the account
Domain Name - The Active Directory domain in which the user account resides
14. On the Wizard Competed page, click Finish. The ADConnector starts automatically.

Starting the ADConnector Configuration Tool

After completing the installation wizard for the SonicWALL ADConnector, the ADConnector starts automatically. You can also manually start the service. The ADConnector service must be running at all times for the SonicWALL Content Security Manager to communicate with Active Directory.

1. On your desktop double click the ADConnector Configuration Tool icon, or from your Windows Start menu, select Programs > SonicWALL > SonicWALL ADConnector > ADConnector Configuration Tool. The ADConnector Configuration Tool launches. This is part of the Microsoft Management Console (MMC).
2. In the Console Root window, click the expand (+) icon next to SonicWALL ADConnector in the left column to display its contents in the right column.
3. Click the SonicWALL CSM Appliance icon.
4. Select the entry in the right pane, click the start button on the toolbar above the entry.

Preparing the ADConnector Configuration Tool for First Time Use

1. Expand the Users list to view the users.
2. The first time you click on a user, you are asked to supply the Active Directory Attributes for the SonicWALL ADConnector. Click OK in the Warning dialog box.
3. In the Attribute Selection dialog box, select attributes that are otherwise unused in your system, for example, IP Phone. If you wish, you can add attributes to eDirectory for use by NDConnector, but it is not necessary. Select different attributes for Group Policy Attribute, User Policy Attribute, and other fields. Once the attributes have been selected, you can manage content filtering policies for eDirectory users, groups, computers, and organizational units.

Configuring the SonicWALL Content Security Manager for Active Directory

1. In the SonicWALL Content Security Manager management interface, select Users and Hosts > Settings.
2. In the Authentication Method section, select Use Directory Services Connector and click the Configure button. The Directory Service Connector Configuration window is displayed.
3. On the DSC tab, enter the IP address of the computer/server running the ADConnector Service in the IP Address field.
4. In the Port Number field, type the port number on which the CSM will communicate with the ADConnector.
5. Enter a 16 character shared secret in the Shared Secret field. This must be the same as the shared key you configured for the ADConnector when you installed it. An example of a Shared Secret you can use in the Shared Secret field is 0123456789abcdef.
6. Click OK to apply the configuration.
7. In the Users and Hosts > Settings page, click Configure for Directory Services Connector again.
8. Click Check. The Directory Services Connector Agent Status window is displayed. If the ADConnector service is detected, the message Directory Services Connector is ready is displayed.
9. Click OK twice to exit.

At the end of step 8, if you see the message, Directory Services Connector is not responding, test connectivity from the Content Security Manager to the ADConnector:

1. In the management interface, click System and then click Diagnostics.
2. In the System > Diagnostics page, Select Ping from the Diagnostic Tool list.
3. In the Ping host or IP address field, enter the IP address of your ADConnector and click Go.
• If the ADConnector is not responding, check that the computer with the ADConnector is turned on and has Internet connectivity. Then ping it again.
• If the ADConnector is not responding or is alive but has a very long Ping time (greater than 50
milliseconds), you should add a static route from the Content Security Manager to the ADConnector.
See Chapter 5, Configuring Network Settings for more information.
• If the ADConnector is alive with a fast Ping time, your connectivity from the Content Security Manager to the ADConnector is good. Verify that the service is running and that the user you configured it with has sufficient privileges to communicate with the Active Directory domain controller.

Applying a Policy in the ADConnector

In the SonicWALL ADConnector you assign content filtering policies to users by assigning a policy or policy to an individual user, user group, or other object. You can assign only one policy per user or other object.

Users and Multiple Groups

A user can belong to many groups in AD, and can therefore have multiple content filtering policies assigned. The user will have one policy assigned for each user group the user belongs to that has a policy assigned. In this case, the user will have the combination of all “Allow” rules that are assigned to each group the user belongs to and only the “Block” rules and “Log” rules that belong to all groups.

Applying a Policy to a User or Other Object

Before you apply a policy to a user, group, computer, or OU in Active Directory, you must have:

Use Directory Services Connector selected and configured in the Users and Hosts > Settings page in the SonicWALL Content Security Manager management interface.
• Individual content filtering policies configured in the SonicWALL Content Security Manager.
• The individual content filtering policies assembled into useful combinations in Policies in the Policies > Policy List page in the SonicWALL Content Security Manager management interface.
• Users and other objects configured in Active Directory.

To apply policies:

1. Start the SonicWALL ADConnector Configuration Tool.
2. On the SonicWALL Content Security Manager, from the Directory Services Connector Configuration dialog box, click the Check button to test communications with the ADConnector service (make sure the service is running first).
3. In the NDConnector Configuration Tool, in the left pane, right-click on the CSM appliance and select Properties.
4. In the dialog box, click the CSM Policies tab.

You should see the policies that are configured on the SonicWALL Content Security Manager. If an error message is received, synchronization has not occurred. Check the IP address, Port, and Shared Key settings. Make certain they are the same in both the ADConnector and the SonicWALL Content Security Manager.

5. Expand the Users, Groups, Organizational Units, and Computers containers in the left pane. Clicking on the container itself will enumerate the constituents in the right pane.
6. Select a user or other object to assign content filtering to.
7. Right click the object and select Add Policy.
8. Select the policy or policy you want to apply from the drop-down list and click OK.

Changing Policies

1. Select the user or other object for which you want to change policies.
2. Right click the object and select Properties.
3. Select the new policy or policy you want to apply from the drop-down list and click OK.

Removing Policies

1. In the Left pane, select the user or other object from which you want to remove content filtering policies.
2. In the Right pane, select the assigned policy.
3. Right click on the assigned policy or policy, and select Delete.

Understanding Status Messages

The ADConnector displays the following SonicWALL Content Security Manager messages in the Status column.

Message
Cause
Resolution Action
SyncError
Unknown error causing an out-of-sync status between the SonicWALL Content Security Manager and the ADConnector.
The ADConnector tries to resolve this automatically by setting it to OK status. It needs to be determined if the Content Security Manager will continue to insist that this is a sync error.
OK
The policy can be assigned to users and groups and shows up in the menu.
No resolution is required.
AgentOnly
The policy was deleted from the SonicWALL Content Security Manager but was assigned to a user or group in ADConnector.
This is the only status where the policy can be deleted from the ADConnector. The policy name stored in ADConnector is not cleaned up
automatically.
Assigned
The policy is assigned to a user or group.
No resolution is required.

Deleting Policies in ADConnector

The basic premise of deleting policies from ADConnector are as follows:

• All policies should be managed only from the Content Security Manager.
• The delete function in the ADConnector works to remove policies that are out of sync with the Content Security Manager. This works only when the AgentOnly and SyncError message is displayed in the Status column.

ヘルプの目次へ戻る