Prerequisites for AD Connectors and VAs
To support the integration of Active Directory (AD) with Secure Access, review and meet the requirements in this guide.
Table of Contents
Connector Server
You must configure a server that is a member of the AD domain with the following environment:
- Windows Server 2012, 2012 R2, 2016, 2019, or 2022 with the latest service packs and 100MB free hard disk drive space. Service packs prior to SP2 are not supported.
- .NET Framework 4.5 or above
- If a local anti-virus application is running, allow the CiscoAuditClient.exe and CiscoAuditService.exe processes to run on the system.
The Connector may be deployed directly on the domain controller. In this case, the domain controller must meet all prerequisites listed above. Only one connector is required to provision identities from an AD domain, with an optional second connector for redundancy if required.
Guidelines for AD Deployments with Secure Access Virtual Appliances
- For troubleshooting, install the AD Domain Services Snap-ins and Command-line Tools feature through the Remote Server Administration Tools > Role Administration Tools > AD DS & AD LDS Tools > AD DS Tools.
- If you are deploying AD with Virtual Appliances through the integration with domain controllers, you must deploy one AD Connector for each AD domain (with an optional second connector for each AD domain).
Outbound Network Access to Secure Access
The Connector server requires outbound access on certain domains and URLs. If you are using a transparent HTTP web proxy, ensure that these domains and URLs on port 80/443 are excluded from the proxy, and not subject to authentication.
- For syncing, allow traffic on 443 (TCP) to api.sse.cisco.com.
- For Windows to perform Certificate Revocation List and Code-Signing checks, allow access to additional URLs on port 80/443 (TCP). For a complete list of ports, see AD Connector Communication Flow and Troubleshooting.
- For downloading upgrades, allow traffic on 443 (TCP) to disthost.umbrella.com.
Connector Account
To deploy the Connector, create a new user account in the AD domain. This account should have:
- The logon name (sAMAccountName) set to Cisco_Connector. You can use a custom username, but you must configure it with the required permissions.
- Select
Password never expires.
Note: Passwords can not include backslashes, quotations (single or double), greater-than or less-than chevron brackets (< >), or colons. - Assign
ReadandReplicating Directory Changespermissions. Alternatively, you can make the Connector account a member of the built-inEnterprise Read-only Domain Controllersgroup which will automatically assign these permissions.
Note: The Connector does an initial synchronization of the AD structure to Secure Access. After this, it detects changes to the AD structure and communicates these changes only. The detection of changes requires theReplicating Directory Changespermission, so the Connector cannot function without this permission. TheReplicating Directory Changespermission is different from theReplicating Directory Changes Allpermission which enables the retrieval of password hashes. The Connector does not read password hashes and hence does not require theReplicating Directory Changes Allpermission.
Guidelines for AD Deployments with Secure Access Virtual Appliances
- The Connector account (Cisco_Connector or custom username) must be a member of the following built-in groups on each AD domain:
- Enterprise Read-only Domain Controllers
- Event Log Readers
Note: In a parent/child domain scenario, the Enterprise Read-only Domain Controller only exists in the parent domain. In this case, follow the instructions listed here to provide the required permissions for the Connector account. You must add other missing groups.
AD Integration with Virtual Appliances < Prerequisites for AD Connectors and VAs > Prepare Your AD Environment
Updated about 1 month ago