04-15-2014 02:18 PM
We have a Cisco IronPort S370 web security appliance, and want to set it up so that it can authenticate users in our Active Directory and apply access policies to them.
I joined the appliance to the domain and added the authentication realm, but I don't see anywhere to specify groups from AD to create policies for. For instance, if I create some URL filtering policy, I want to be able to connect that back to a group in AD.
Anyone know how to do this?
Solved! Go to Solution.
04-17-2014 08:55 AM
Under Identities and Users select option 'All Identities'
Beneath that you select "Selected Groups and Users"
under that click Groups:No groups entered link.
Normally you must see Domain\group name
04-16-2014 11:22 PM
1.First check whether your WSA is integrated with AD successfully by Test authentication realm settings, it should be successful.
2.Then go to Access policies----New policy---under policy member definition----check Selected groups and users radio button--then click No groups entered link to specify AD group.Here you will find all AD groups, select your desired group and add it to right pane.
HTH
"Please rate helpful posts"
04-17-2014 07:15 AM
OK, step 1 works: the IronPort tests out fine against AD
step 2 is where I get stuck.
I go into Access Policies-->New Policy
I give it a name like "Test" and then go to Policy Member Definition
Below that is a pull down menu with "Identities and Users" with the options "All Identities" and "Select One or More Identities"
I don't see a radio button or a "No groups entered" option
04-17-2014 07:32 AM
Ah, I think I found it: the group I was using had "no authentication required" in identities, and therefore did not show me everything.
04-17-2014 07:36 AM
However, when I select "Selected Groups and Users" I only get the option to manually put in individual users such as DOMAIN\colin
Shouldn't I be seeing more than this? How do I put in a group?
04-17-2014 08:55 AM
Under Identities and Users select option 'All Identities'
Beneath that you select "Selected Groups and Users"
under that click Groups:No groups entered link.
Normally you must see Domain\group name
04-22-2014 08:24 AM
The account that is used to create an account for the IronPort in AD must be an Enterprise Admin --no other will work, even if those accounts have domain management credentials. Once we put these credentials in, we we able to fetch the users and groups.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide