Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
3
Replies

Standalone AD forest support

ymadheka
Level 4
Level 4

‎10-25-2016 11:14 AM

Hi Team,

We are working on an opportunity of WSA appliance at customer with multiple locations,customer requires below key features:

  • Support for different standalone AD forest or
  • Manual ID creation for non-domain users like guest / linux based users.

As I understand from the configuration guides we need to have a trust relationship for the first point but in this case these are seperate standlone forests.

Thanks in advance for any kind suggestion.

Thanks & Regards,

Yogesh Madhekar

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎10-25-2016 11:29 AM

So first off, the "manual id" creation is an issue, as the WSA has no facility for it...

You'll have to set up something for that for guests (an ldap or ADAM instance??).  Presumably the Linux clients may have normal AD users on them?

To do multiple AD's/LDAPs, you set up multiple realms and put them in a realm sequence.   Its under Network/Authentication. Once you create the second realm you'll see the Realm Sequence stuff..

0 Helpful

ymadheka
Level 4
Level 4
In response to Ken Stieers

‎10-25-2016 11:32 AM

Hi Ken,

Thanks for the quick revert.

The customer is using standalone AD forest so it is not only multiple AD/domains with no trust relationship.

0 Helpful

Ken Stieers
VIP
VIP
In response to ymadheka

‎10-25-2016 11:40 AM

Yes, and that's supported.

Dig into the help file...

SSO might be a thing, but you can fix most of those issues by deploying a CDA...

You may need to look a the network layout...

Here's a snip from the help file.

Creating an Active Directory Authentication Realm (NTLMSSP and Basic)

Before You Begin

 • Ensure you have the rights and domain information needed to join the Web Security appliance to the Active Directory domain you wish to authenticate against.

 • If you plan to use “domain” as the NTLM security mode, use only nested Active Directory groups. If Active Directory groups are not nested, use the default value, “ads”. See setntlmsecuritymode in the Command Line Interface appendix of this guide.

 • Compare the current time on the Web Security appliance with the current time on the Active Directory server and verify that the difference is no greater than the time specified in the “Maximum tolerance for computer clock synchronization” option on the Active Directory server. If the Web Security appliance is managed by a Security Management appliance, be prepared to ensure that same-named authentication realms on different Web Security appliances have identical properties defined on each appliance. Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.

 • For NTLMSSP, single sign on (SSO) can be configured on client browsers. See Configuring Single-Sign-on.

Using Multiple NTLM Realms and Domains

The following rules apply in regard to using multiple NTLM realms and domains:

 • You can create up to 10 NTLM authentication realms.

 • The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another NTLM realm.

 • Each NTLM realm can join one Active Directory domain only but can authenticate users from any domains trusted by that domain. This trust applies to other domains in the same forest by default and to domains outside the forest to which at least a one way trust exists.

Create additional NTLM realms to authenticate users in domains that are not trusted by existing NTLM realms.

 1. Choose Network > Authentication.

 2. Click Add Realm.

 3. Assign a unique name to the authentication realm using only alphanumeric and space characters.

 4. Select Active Directory in the Authentication Protocol and Scheme(s) field.

 5. Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).

Example: active.example.com.

An IP address is required only if the DNS servers configured on the appliance cannot resolve the Active Directory server hostname.

0 Helpful
Customers Also Viewed These Support Documents