Connect Active Directory to VAs

The Cisco Active Directory (AD) Connector integrates Cisco Secure Access with your instance of Microsoft AD. Before you can provision users and groups from Active Directory, connect your instance of AD to Secure Access by deploying an AD Connector.

Install the AD Connector in the same Site as your deployed Secure Access Virtual Appliances.

The Cisco Active Directory (AD) Connector monitors one or more domain controllers in your environment.

The AD Connector listens to user and computer logins through the security event logs, and then transmits IP-to-user and IP-to-computer mappings to your deployed Secure Access Virtual Appliances (VAs).
The AD Connector synchronizes user-to-group, computer-to-group and group-to-group memberships with Secure Access, which enables you to create and enforce group-based settings and view user, computer, and group-based reports.

The AD Connector helps import your Active Directory (AD) users, groups and computers to provide these mappings.

Note: Only one AD Connector is required for each Secure Access Site. For redundancy, add an optional second AD Connector. If you are onboarding multiple AD domains through domain controller integrations, one AD Connector is required per AD domain per Umbrella site, with an optional second connector for redundancy if required.

This guide describes the steps to install the Cisco AD Connector for LDAP or LDAPS, and provision users and groups from your instance of Microsoft AD to Secure Access.

How to Configure the Setup of the AD Connector

The deployment of the AD Connector has various components. You can configure the Cisco AD Connector to provision users and groups from Microsoft AD using LDAP or LDAPS (domain controller or domain).

(Optional) Configure authentication for the AD Connectors and Secure Access Virtual Appliances (VAs) in your environment. For more information, see Configure Authentication for AD Connectors and VAs.
Download the AD Connector ZIP file from Secure Access.
Add a domain controller or domain in Secure Access for LDAP or LDAPS deployments. For more information, see Prepare Your AD Environment.
Install and configure the AD Connector on your server.
Verify that the AD Connector begins to provision users and groups in Secure Access.

Prerequisites
(Optional) Specify AD Groups in Selective Sync File
Procedure
Change the Connector Account Password
Configure Updates to AD Connectors

Prerequisites

Full Admin user role. For more information, see Manage Accounts.
For information about the requirements for deploying the Cisco AD Connector, see Prerequisites for AD Connectors and VAs.
(Optional) Configure Authentication for the AD Connectors and VAs.
Add the AD components in Secure Access. For more information, see Prepare Your AD Environment.

(Optional) Specify AD Groups in Selective Sync File

You can specify the AD Groups for the purpose of creating access rules in Secure Access. Users and computers belonging to these Groups synchronize to Secure Access.

Rename Selective Sync File After Upgrading to AD Connector v1.14.4

If you use selective sync and upgrade the Cisco AD Connectors to v1.14.4 or later, you must rename the current selective sync file C:\CiscoUmbrellaADGroups.dat to C:\CiscoADGroups.dat.

Note: The selective sync file—previously named CiscoUmbrellaADGroups.dat—is not recognized by the Cisco AD Connector v1.1.4.4 or later.

After you rename the selective sync file, Secure Access automatically reads the selective sync file (C:\CiscoADGroups.dat) and syncs the Users in the specific Groups from AD to Secure Access. You are not required to restart the AD Connector service.

Create AD Groups in a Selective Sync File

Identify the AD Groups of interest. Users and computers belonging to these Groups synchronize to Secure Access.
For each sub-tree, only the parent group needs to be specified. All AD groups, users, and computers that are part of this parent group are automatically included.
Note: If you enabled Selective Sync, AD Users and Computers that are not members of Groups specified in CiscoADGroups.dat or their subgroups are not synchronized to Secure Access and are completely exempt from Secure Access access rules and reports.
Create a CiscoADGroups.dat file in the C:\ drive of each machine where the connector is installed.
The connector only reads the C:\CiscoADGroups.dat file. If the file is incorrectly named or is not present in the C:\ drive, all groups are imported to Secure Access.
List the AD groups that need to be synchronized in distinguished name (DN) format in this file.
Ensure that there are no blank lines anywhere in the file.
Note: If you are running multiple AD Connectors, the file C:\CiscoADGroups.dat should be present on each system running the connector and should be identical on each system.

Supported Organizational Units

CN=My Group,OU=Organizational Unit,DC=sample,DC=local

Unsupported Organizational Units

OU=My OU,OU=Organizational Unit,DC=sample,DC=local

Sample File Entries

CN=Engineering,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Sales,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Marketing,CN=Builtin,DC=ciscoumbrella,DC=com

Total Number of Groups Selected for Synchronization

Groups specified in the selective sync file and all of their subgroups—should not exceed 15,000. Also, these Groups should not be nested within more than five OU levels. Selective synchronization fails in both cases. If you can not meet either of these requirements, we recommend that you do not use the selective sync file. Instead, you can do a full AD tree synchronization.

Procedure

Download, install, and configure the AD Connector.

Step 1 – Set Up Domain Controllers
Step 2 – Download the Active Directory Connector
Step 3 – Install the Active Directory Connector
Step 4 – View the Installed AD Components in Secure Access

Step 1 – Set Up Domain Controllers

For more information, see Prepare Your AD Environment.

Step 2 – Download the Active Directory Connector

Download the AD Connector from Secure Access to your server.

Note: When you download the AD Connector software package, and if you did not configure API key credentials for the AD Connectors, Secure Access displays a warning message. We recommend that you configure API keys for your AD Connectors. For more information, see Configure Authentication for AD Connectors and VAs.

Configure a server to run the AD Connector, and then sign in to Secure Access on that server.
Navigate to Connect > Users and Groups > Users and click Provision Users, or navigate to Connect > Users and Groups > Groups and click Provision Groups.
 For Provisioning Method, click Active Directory or expand Active Directory.
For Active Directory Connector, click  Download to save the AD Connector deployment package to the server. The deployment package is named: OpenDNSAuditClient_vX.X.X.zip.

Note: You must download the ZIP file to the local machine where you plan to run it, or copy it locally from another machine. We do not recommend that you install the AD Connector from a network drive or run the setup.msi directly from the compressed file.

Step 3 - Install the Active Directory Connector

As an administrator, extract the contents of the AD Connector ZIP file to a folder on the server, and then navigate to that folder.
Note: If you run the AD Connector installer from the root directory of your server, you may encounter installation errors.

Run setup.msi, and then in the Cisco AD Connector Setup wizard, click Next.
Choose the directory on the server to install the Cisco AD Connector.
Confirm that you permit your AD Users and Groups to sync to Secure Access from the Cisco AD Connector.
Add your Active Directory credentials. Enter the Username of the Connector user (Cisco_Connector or custom username) and the Password.
Follow the remaining prompts in the setup, and when finished click Finish.