Re: Secure Access identity question

Maciej Waliszko · ‎08-05-2024

Hello,

Let's say that I want to build a security policy where source is equal to MS AD group (users/groups will be provisioned through AD connector). My question is the following. How does firewall feature of SA know about IP-user mapping? According to what I am reading SAML is only for SWG/ZTA... Any hints?

ccieexpert · ‎08-05-2024

The AD connector provides user to IP mapping for all features..

are you seeing any issues with that ?

Maciej Waliszko · ‎08-06-2024

The problem is that there are no single word in the SA documentation about its integration with Umbrella VA (nothing is also seen in the SA dashboard to do this integration). This is in contrary to Umbrella SIG docs where we can find nice info like the one below

https://docs.umbrella.com/umbrella-user-guide/docs/identity-and-sig-deployment

ccieexpert · ‎08-06-2024

AD connector is different from VA... VA is not required with SSE.. but AD connector is required..

Please see this:

https://docs.sse.cisco.com/sse-user-guide/docs/provision-users-and-groups-from-azure-active-directory#prerequisites

For IP-to-user mapping deployments, you must use an on-premises Secure Access AD connector. Azure does not store the private IP to Active AD user mappings.

**Please rate as helpful if this was useful **

howe · ‎09-24-2024

VA is not **required** with SSE, but it is available to provide DNS level protection with user attribution for policy application and reporting. Details here: https://docs.sse.cisco.com/sse-user-guide/docs/deploy-virtual-appliances Useful for agent-less deployments in IOT, servers etc. as it was with Umbrella.