Prerequisites for AD Connectors

To integrate your organization's identities from Microsoft Active Directory (AD) with Cisco Secure Access, deploy the Cisco AD Connector in your environment.

This guide describes the Windows Server, user account in the AD domain, and network requirements to deploy the AD Connector. You must meet these requirements before you deploy the AD Connector.

Table of Contents

• Connector Server
• Outbound Network Access to Secure Access
• Connector Account

Connector Server

You must configure a server that is a member of the AD domain with the following environment:

• Windows Server 2012, 2012 R2, 2016, 2019, or 2022 with the latest service packs and 100MB free hard disk drive space.
  Note: Windows Server Service packs prior to SP2 are not supported.
• .NET Framework 4.5 or above.
• If a local anti-virus application is running, allow the CiscoAuditClient.exe and CiscoAuditService.exe processes to run on the system.

You can deploy the AD Connector directly on the domain controller. In this case, the domain controller must meet all prerequisites for the Connector server. Only one AD Connector is required to provision identities from an AD domain. If you require high-availability of the AD Connector, deploy a second AD Connector.

Outbound Network Access to Secure Access

The server where you install the AD Connector requires outbound access on certain domains and URLs. If you are using a transparent HTTP web proxy, ensure that these domains and URLs on port 80/443 are excluded from the proxy, and not subject to authentication.

• For syncing, allow traffic on 443 (TCP) to api.sse.cisco.com.
• For Windows to perform Certificate Revocation List and Code-Signing checks, allow access to additional URLs on port 80/443 (TCP). For a complete list of ports, see AD Connector Communication Flow and Troubleshooting.
• For downloading upgrades, allow traffic on 443 (TCP) to disthost.umbrella.com.

Connector Account

To deploy the AD Connector, create a new user account in the AD domain. This account should have:

• The logon name (sAMAccountName) set to Cisco_Connector. You can use a custom username, but you must configure it with the required permissions.
• Select Password never expires.
  Note:  Passwords can not include backslashes, quotations (single or double), greater-than or less-than chevron brackets (< >), or colons.
• Assign Read and Replicating Directory Changes permissions.
  Alternatively, you can make the AD Connector account a member of the built-in Enterprise Read-only Domain Controllers group, which will automatically assign these permissions.
  
  
  The AD Connector does an initial synchronization of the AD structure to Secure Access. After this, it detects changes to the AD structure and communicates these changes only. The detection of changes requires the Replicating Directory Changes permission. The AD Connector cannot function without this permission.
  
  
  The Replicating Directory Changes permission is different from the Replicating Directory Changes All permission, which enables the retrieval of password hashes. The AD Connector does not read password hashes. Thus, the AD Connector does not require the Replicating Directory Changes All permission.

Provision Users and Groups from Active Directory < Prerequisites for AD Connectors > Connect Multiple Active Directory Domains