This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
You can add an Active Directory to your list of Directories.
Before you begin
IDex Agent
Install IDex Agent V2 to sync your Active Directory to Cloud.
Appliance hostname
If you have only one domain, we recommend that the appliance hostname is on the Active Directory domain, for example if using domain.local the appliance could be called appliance.domain.local
Change the hostname if required. You will need to update your Certificates.
Conditional DNS Forwarding
Ensure you have Conditional DNS Forwarders configured for your domain:
- Add the IP address of a domain DNS server, and a domain declaration in the domain.local format.
- Optionally, add any reverse DNS addresses into the Domains field - for example: 168.192.in-addr.arpa
In Active Directory
Decide which user account in Active Directory to use for the setup.
- We recommend creating a new standard user account for this purpose, with a password that does not expire.
- It should not be an existing domain administrator.
- It must have permission to modify the Computer’s container, including being able to create keytab files across the domain or forest.
Time
To prevent syncing issues, ensure the time set on your Smoothwall appliance matches the time set in your Active Directory server.
Manage Active Directory on your Smoothwall appliance
Add an Active directory
- Go to Services > Authentication > Directories.
- Select Add new directory.
- Ensure the Enabled checkbox is selected.
- If in a multi-tenant environment, select the tenant.
- Select the Type as Active Directory.
- Enter the full DNS Domain name. Other trusted domains are allowed access automatically.
- Enter the Username and Password of the user account and re-enter the password to make sure it is correct.
- To change caching behaviour, select Advanced options.
- Cache timeout (minutes) is how long the Smoothwall appliance keeps a record of directory-authenticated users in its cache. The default is 10 minutes, or you can amend this.
- Select the Cache Kerberos PAC groups Enabled checkbox to cache group membership information from Kerberos tickets permanently.
- If you have a ‘Hybrid’ setup, you’ll see a Directory in Cloud Portal field.
- If you use IDex Agent, select Enabled to sync the directory group mappings between On-Premise Appliance and Cloud.
- If you don’t use IDex Agent, don’t select this checkbox - the directory will only exist in the On-Premise Appliance.
- Optionally, enter a comment.
- Select Add.
Sync Active Directory
When changes are made on your Active Directory (AD) server, changes are synced to Cloud overnight if IDex Agent V2 is installed.
To sync immediately, run 'sendaddatanow.exe' on your Active Directory (AD) server.
Edit or delete an Active directory
Go to Services > Authentication > Directories, hover over the directory and select Edit or Delete.
You can clear the Enabled box to keep the directory but not use it in Smoothwall.
Using Negotiate login (Kerberos login) or Negotiate in-line (Kerberos in-line)
After deleting the Active Directory, or clearing the Enabled checkbox, if you use Negotiate login and have applied the script outlined here, or use Negotiate in-line as your authentication method, you must delete your account from your Active Directory controllers.
- Search for the Smoothwall computername on all Active Directory controllers.
- Find the computer account and delete it.
- Wait 10 minutes, then search again to check it was deleted as expected.
If you need to enable an Active Directory connection with the Smoothwall appliance again:
- Add the Username and Password for any new service users to the Active Directory in Smoothwall.
- If a hostname change is required, change the hostname. You will need to update your Certificates.
- Select the Enabled checkbox for the Active Directory in Smoothwall again.
Next step
You must map your Directory User Groups to the Smoothwall User Groups to authenticate users and apply Web Filter Policies.