global catalog of an Active Directory forest with a single Active Directory tree, the user
account must have permissions to authenticate users in multiple subdomains. Be sure to
use an Active Directory account with only the privileges that are required.
■
Password: Enter that user’s password.
4. Enter the Active Directory settings by doing one of the following:
■
Select the Auto-detect advanced settings check box (the associated text boxes are
automatically filled).
Or
■
Ensure that the Auto-detect advanced settings check box is not selected and fill in the
remaining text boxes.The six additional text boxes are:
— Primary Domain Controller: The fully qualified domain name (FQDN) of the desired
Primary Domain Controller.
— Secondary Domain Controller (Optional): A secondary domain controller in case
there are problems connecting to the Primary Domain Controller. If an appliance
cannot reach the primary controller it will fail over to the secondary controller. If an
appliance has joined to the Secondary Controller, the Configuration > System >
Active Directory page will display a Revert to Primary button. Use this to reconnect
to the primary.
— Active Directory Kerberos server: The FQDN of the desired Kerberos server. If
uncertain, use the same hostname as the Domain Controller. Should be a fully qualified
domain name.
Note: If you have configured a Secondary Domain Controller, your Active Directory
Kerberos server must be the same as your Primary Domain Controller.
— Active Directory LDAP server: The FQDN of the desired LDAP server, with the port
number. If uncertain, use the same hostname as the Domain Controller, with the port
number.The port number for a single Active Directory server is usually 389; for an Active
Directory server designated as a global catalog server, it is 3268.
If you enter an incorrect FQDN, the appliance will attempt to auto-detect the FQDN. If
you cannot successfully connect to your Active Directory forest, disable Auto-detect
advanced settings and manually change the port number for the Active Directory LDAP
server to 389 to force the appliance to access the AD server as a single domain.
— LDAP authentication DN (optional):The LDAP "Distinguished Name" that corresponds
to the Username text box. If left blank, the appliance will attempt to discover the correct
DN. If you are uncertain, leave this blank.
— LDAP base DN (optional):The LDAP "folder" under which users can be found. Defaults
to the whole domain. If you are uncertain, leave this blank.
— LDAP account attribute (optional): The LDAP object attribute that contains the "login
name" of a user. Defaults to ’sAMAccountName', which is the only correct value for
Active Directory LDAP servers. If you are uncertain, leave this blank.
5. Click Verify Settings.
126 | Configuration | Sophos Web Appliance
To Next Page
Loading...
Need help?
General
