Connect Active Directory to Secure Access

The Cisco Active Directory (AD) Connector integrates Cisco Secure Access with your users and groups, which are deployed in Microsoft AD. Before you can provision users and groups from Active Directory, you must connect your instance of AD to Secure Access.

Table of Contents

• Prerequisites
• Step 1 – Choose a Provisioning Method
• Step 2 – Register a Domain Controller or Domain in Secure Access
• Step 3 – Download the Cisco AD Connector from Secure Access
• Step 4 – Install the Cisco AD Connector
• Step 5 – Verify That the Cisco AD Connector Syncs with Secure Access
• Specify AD Groups of Interest

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• Configure a Connector Server.
• Allow Outbound Network Access to Secure Access.
• Create the Connector Account.

Configure a Connector Server

You must configure a server that is a member of the AD domain with the following environment:

• Windows Server 2012, 2012 R2, 2016, 2019 or 2022 with the latest service packs and 100MB free hard disk drive space.
• .NET Framework 4.5 or newer.
• If a local anti-virus application is running, allow the CiscoAuditClient.exe and CiscoAuditService.exe processes.

You may deploy the Cisco AD Connector directly on the domain controller. In this case, the domain controller must meet all prerequisites. Only one Cisco AD Connector is required to provision users and groups from an AD domain. For redundancy, add an optional second connector.

Allow Outbound Network Access to Secure Access

The Cisco AD Connector server requires outbound access to certain URLs. If you use a transparent HTTP web proxy, ensure that the following URLs on port 80/443 are excluded from the proxy, and not subject to authentication:

• 443 (TCP) to api.opendns.com to sync the AD Users and Groups.
• Access to additional URLs on port 80/443 (TCP) for Windows to perform Certificate Revocation List and Code-Signing checks. For a complete list of ports, see AD Connector Communication Flow and Troubleshooting.
• 443 (TCP) to disthost.umbrella.com to download updates to the Cisco AD Connector.

Create the Connector Account

When you deploy the Cisco AD Connector, you must create a new user account in the AD domain. This account must have these attributes:

• Set the account name (sAMAccountName) to Cisco_Connector.
  Note: You can sign in with a custom username that has the required permissions.

• Select Password never expires.
  Note: Passwords must not include backslashes, quotations (single or double), greater-than or less-than chevron brackets (< >), or colons.

• Assign Read and Replicating Directory Changes permissions.
  Alternately, you can make the Cisco AD Connector account a member of the built-in Enterprise Read-only Domain Controllers group, which automatically assigns these permissions.

  Note: The Cisco AD Connector does an initial synchronization of the AD structure to Secure Access. After the sync, it detects changes to the AD structure and communicates these changes only. The detection of the changes requires the Replicating Directory Changes permission. The Cisco AD Connector can not function without this permission. The Replicating Directory Changes permission is different from the Replicating Directory Changes All permission, which enables retrieval of password hashes. The Cisco AD Connector does not read password hashes and thus does not require the Replicating Directory Changes All permission.

Step 1 – Choose a Provisioning Method

1. Navigate to Connect > Users and Groups > Users and click Provision Users, or navigate to Connect > Users and Groups > Groups and click Provision Groups.
2. For Provisioning Method, click Active Directory.
3. Click Next.

Step 2 – Register a Domain Controller or Domain in Secure Access

Choose the AD component type and configure the component to sync with Secure Access.

Active Directory integration requires that you register an AD domain controller or AD domain in Secure Access. The Cisco AD Connector performs an LDAP sync against this domain controller or domain to retrieve the Users and Groups. The Cisco AD Connector server communicates with the domain controller on port 389 over TCP for LDAP sync or port 636 over SSL for LDAP.

The Cisco AD Connector can only retrieve users and groups from a single domain controller. If you register multiple domain controllers in Secure Access, the Cisco AD Connector only attempts to perform an LDAP sync against the first domain controller in the list. Ensure that the domain controller you are registering is not subject to any AD replication delays. Read-only Domain Controller (RODC) registrations are supported for retrieval of users and groups.

If you need to periodically bring down your domain controller for maintenance or updates or your domain controllers are behind a load balancer that does not support LDAP queries, we recommend that you register the domain instead.

• Register a Domain Controller
• Register a Domain

Register a Domain Controller

1. Choose Domain Controller to register the AD domain controller component.

2. Enter the hostname, internal IP address, and domain of the domain controller. Choose an Active Directory tag to identify the AD component.
   The Active Directory connector attempts to connect to your newly added domain controller. If all the required permissions have been configured, you should not experience any issues. If there are errors, review Prerequisites or contact Support.

3. Click Next and then follow the instructions in Step 3 – Install the Cisco AD Connector.

Register a Domain

1. Choose Domain to register the AD domain component.
2. For Domain, enter the domain name. Choose an Active Directory tag to identify the AD component.
3. Click Next, and then follow the instructions in Step 3 – Install the Cisco AD Connector.

Step 3 – Download the Cisco AD Connector from Secure Access

Download the Cisco AD connector to your server.

1. Configure a server to run the Cisco AD Connector, and then sign in to Secure Access on that server.
2. Navigate to Connect > Users and Groups > Users and click Provision Users, or navigate to Connect > Users and Groups > Groups and click Provision Groups.
3.  For Provisioning Method, click Active Directory and choose the AD domain component.
4. Click Next, and then click  Download to save the Cisco AD connector deployment package to the server. The deployment package is named: CiscoAuditClient_vX.X.X.zip.

Note: You must download the ZIP file to the local machine where you plan to run it, or copy it locally from another machine. We do not recommend that you install the Cisco AD Connector from a network drive or run the setup.msi directly from the compressed file.

Step 4 - Install the Cisco AD Connector

As an administrator, extract the contents of the CiscoConnector ZIP file that you downloaded from Secure Access to a folder on the server, and then navigate to that folder.
Note: If you run the AD Connector installer files from the root directory of your server, you may encounter installation errors.

1. Run setup.msi, and then in the Cisco Connector Setup wizard, click Next.

   
   

2. Choose the directory on the server to install the Cisco AD Connector.

   
   

3. Confirm that you permit your AD Users and Groups to sync to Secure Access from the Cisco AD Connector.

   
   

4. Add your Active Directory credentials. Enter the Username of the Connector user (Cisco_Connector or custom username) and the Password. For more information, see Prerequisites.

5. Follow the remaining prompts in the setup and when finished, click Close.

Step 5 – Verify that the Cisco AD Connector Syncs with Secure Access

1. Navigate to Connect > Users and Groups and then choose Provision Users and Groups > Active Directory.
2. Navigate to Installed Active Directory Components. Enter text for an AD component tag in the search bar to query for an installed AD component or click the ellipsis (...) to edit or delete the AD component.

• Name—The hostname of the Windows computer where you installed the AD Controller.
• Internal IP—The internal IP address of the AD Controller.
• AD Tag—The unique label that identifies the AD component.
• Type—The type of AD component, either Domain Controller or Domain.
• Status—The state of the AD component.
• Version—The version of the AD component.

The status of your domain controller and connectors should change from Inactive to Active (green). If the configured domain controller or connectors are not active after a period of time, contact Secure Access Support.

It can take up to four hours for large numbers of AD user, computer and group objects to synchronize for the first time. During this time, the connector status icon may appear as red until the initial sync is complete. After the sync completes, the connector status icon is labeled as Active (green).

Seeing your groups listed means the domain controllers have automatically synchronized user and computer group memberships with Secure Access through the connector successfully. Any subsequent changes should also sync successfully.

Note: If the connector does not appear in Secure Access and port 443 is confirmed to be open to api.opendns.com, crl4.digicert.com, and ocsp.digicert.com, the connector server may be missing the DigiCert CA. To confirm, visit https://api.opendns.com/v2/OnPrem.Asset. If a certificate error is presented, download and install the latest DigiCert Global Root CA from DigiCert and restart the Connector service. If it does not appear, contact Support.

Specify AD Groups of Interest

Optionally, you can specify the AD Groups of interest for the purpose of creating access rules in Secure Access.

1. Identify the AD Groups of interest. Users and computers belonging to these Groups synchronize to Secure Access.
   For each sub-tree, only the parent group needs to be specified. All AD groups, users, and computers that are part of this parent group are automatically included.
   Note: If you enabled Selective Sync, AD Users and Computers that are not members of Groups specified in CiscoADGroups.dat or their subgroups are not synchronized to Secure Access and are completely exempt from Secure Access access rules and reports.
2. Create a CiscoADGroups.dat file in the C:\ drive of each machine where the connector is installed.
   The connector only reads the C:\CiscoADGroups.dat file. If the file is incorrectly named or is not present in the C:\ drive, all groups are imported to Secure Access.
3. List the AD groups that need to be synchronized in distinguished name (DN) format in this file.

Supported Organizational Units

CN=My Group,OU=Organizational Unit,DC=sample,DC=local

Unsupported Organizational Units

OU=My OU,OU=Organizational Unit,DC=sample,DC=local

Sample File Entries

CN=Engineering,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Sales,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Marketing,CN=Builtin,DC=ciscoumbrella,DC=com

4. Ensure that there are no blank lines anywhere in the file.
   Note: If you are running multiple connectors, the file C:\CiscoADGroups.dat should be present on each system running the connector and should be identical on each system.

Total Number of Groups Selected for Synchronization

The total number of Groups selected for synchronization—Groups specified in the selective sync file and all of their subgroups—should not exceed 15,000. Also, these Groups should not be nested within more than five OU levels. Selective synchronization fails in both cases. If you can not meet either of these requirements, we recommend that you do not use the selective sync file. Instead, you can do a full AD tree synchronization.

---

Provision Users and Groups from Active Directory < Connect Active Directory to Secure Access > Connect Multiple Active Directory Domains