Connect Active Directory to VAs
The Cisco Active Directory (AD) Connector integrates Cisco Secure Access with your instance of Microsoft AD. Before you can provision users and groups from Active Directory, connect your instance of AD to Secure Access by deploying an AD Connector.
You can install the AD Connector in the same Site as your deployed Secure Access Virtual Appliances.
This guide describes the steps to download and install the AD Connector.
How to Configure the Setup of the AD Connector
The deployment of the AD Connector has various components. Configure the AD Connector to provision users and groups from Microsoft AD using LDAP or LDAPS (domain controller or domain).
- Add domain controllers in Secure Access for LDAP or LDAPS deployments. For more information, see Prepare Your AD Environment.
- Download the AD Connector ZIP file from Secure Access.
- Install and configure the AD Connector on your server.
- View the installed AD Connector in Secure Access and verify that users and groups begin to Secure Access.
Table of Contents
- Prerequisites
- (Optional) Specify AD Groups
- Procedure
- Change the Connector Account Password
- Configure Updates to AD Connectors
Prerequisites
- Full Admin user role. For more information, see Manage Accounts.
- For information about the requirements for deploying the Cisco AD Connector, see Prerequisites for AD Connector.
- Add the AD components in Secure Access. For more information, see Prepare Your AD Environment.
(Optional) Specify AD Groups
Optionally, you can specify the AD Groups for the purpose of creating access rules in Secure Access.
- Identify the AD Groups of interest. Users and computers belonging to these Groups synchronize to Secure Access.
For each sub-tree, only the parent group needs to be specified. All AD groups, users, and computers that are part of this parent group are automatically included.
Note: If you enabled Selective Sync, AD Users and Computers that are not members of Groups specified in CiscoUmbrellaADGroups.dat or their subgroups are not synchronized to Secure Access and are completely exempt from Secure Access access rules and reports. - Create a CiscoUmbrellaADGroups.dat file in the C:\ drive of each machine where the connector is installed.
The connector only reads the C:\CiscoUmbrellaADGroups.dat file. If the file is incorrectly named or is not present in the C:\ drive, all groups are imported to Secure Access. - List the AD groups that need to be synchronized in
distinguished name
(DN) format in this file. - Ensure that there are no blank lines anywhere in the file.
Note: If you are running multiple AD Connectors, the file C:\CiscoUmbrellaADGroups.dat should be present on each system running the connector and should be identical on each system.
Supported Organizational Units
CN=My Group,OU=Organizational Unit,DC=sample,DC=local
Unsupported Organizational Units
OU=My OU,OU=Organizational Unit,DC=sample,DC=local
Sample File Entries
CN=Engineering,CN=Builtin,DC=ciscoumbrella,DC=com
CN=Sales,CN=Builtin,DC=ciscoumbrella,DC=com
CN=Marketing,CN=Builtin,DC=ciscoumbrella,DC=com
Total Number of Groups Selected for Synchronization
Groups specified in the selective sync file and all of their subgroups—should not exceed 15,000. Also, these Groups should not be nested within more than five OU levels. Selective synchronization fails in both cases. If you can not meet either of these requirements, we recommend that you do not use the selective sync file. Instead, you can do a full AD tree synchronization.
Procedure
Download, install, and configure the AD Connector.
- Step 1 – Set Up Domain Controllers
- Step 2 – Download the Active Directory Connector
- Step 3 – Install the Active Directory Connector
- Step 4 – View the Installed AD Components in Secure Access
Step 1 – Set Up Domain Controllers
- For more information, see Prepare Your AD Environment.
Step 2 – Download the Active Directory Connector
Download the AD Connector from Secure Access to your server.
-
Configure a server to run the AD Connector, and then sign in to Secure Access on that server.
-
Navigate to Connect > Users and Groups > Users and click Provision Users, or navigate to Connect > Users and Groups > Groups and click Provision Groups.
-
For Provisioning Method, click Active Directory or expand Active Directory.
-
For Active Directory Connector, click Download to save the AD Connector deployment package to the server. The deployment package is named: OpenDNSAuditClient_vX.X.X.zip.
Note: You must download the ZIP file to the local machine where you plan to run it, or copy it locally from another machine. We do not recommend that you install the AD Connector from a network drive or run the setup.msi directly from the compressed file.
Step 3 - Install the Active Directory Connector
As an administrator, extract the contents of the AD Connector ZIP file to a folder on the server, and then navigate to that folder.
Note: If you run the AD Connector installer from the root directory of your server, you may encounter installation errors.
- Run setup.msi, and then in the setup wizard, click Next.
- Choose the directory on the server to install the Cisco AD Connector.
- Confirm that you permit your AD Users and Groups to sync to Secure Access from the AD Connector.
- Add your Active Directory credentials. Enter the Username of the Connector user (OpenDNS_Connector or custom username) and the Password.
- Follow the remaining prompts in the setup, and when finished click Finish.
Step 4 – View the Installed AD Components in Secure Access
- For more information, see Manage Deployed AD Components.
Change Connector Account Password
- For more information, see Change the Connector Account Password.
Configure Updates to AD Connectors
- For more information, see Configure Updates on AD Connectors.
Prepare Your AD Environment < Connect Active Directory to VAs > Configure Updates on AD Connectors
Updated 18 days ago