Support /
Knowledge Base

• an Active Directory Monitor (ADMonitor) – a small application to be installed on the active directory servers
• an Active Directory Integration service on the Appliance – this offers additional settings for the Web Content Filter based on the Active Directory groups the users are part of

In a nutshell, ADMonitor listens for user logins on the active directory servers and communicates these events to the Syneto Appliance. The Appliance periodically queries the Active Directory Server for the list of users and groups. When a login event arrives the Appliance checks for profiles matching the group of the user who just logged in and applies the web access policies of this profile for him. If the user doesn’t authenticate to an active directory another host/network based profile will be matched. If there is no such profile, the Default Profile will be used.

Before you begin, check if your system satisfies the following software requirements:

• Windows Server 2003 SR2 or 2008 (both on 32 bits)
• .NET FrameWork version 4.0

Next, make sure you set up the appropriate Audit Policy:

Windows Server 2003

• Open Domain Controller Security Policy (Start -> Programs -> Administrative Tools). Be sure to open Domain Controller Security Policy and not Domain Security Policy, because Domain Controller Security Policy settings override any Domain Security Policy configuration.
• Open Local Policies -> Audit Policy.
• Make sure both Audit account logon events and Audit logon are set to log events only on “Success” (Success is in the Policy Setting column).

Windows Server 2008

• Open Start -> Administrative Tools -> Group Policy Management.
• Right click on the Default Domain Policy and select Edit.
• Click on Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies.
• Make sure both Audit account logon events and Audit logon are set to log events only on “Success” (Success is in the Policy Setting column).

IMPORTANT NOTE: According to Microsoft there is a memory leak in the WMI service for Windows 2008 R2 and Windows 7. This bug may affect the proper working of the ADMonitor and other services. For more information read the following Microsoft support article: http://support.microsoft.com/kb/981314

To download the ADMonitor installer into your Active Directory Server go to the Syneto Appliances web interface, select menu Web -> Content Filter settings, go to the “Active Directory integration” tab and click on the “Click here to download the AD Monitor” link. A download window will appear. You can save the file for later installation or select “Run” / “Open” when asked and directly install it.

Installing the ADMonitor is strait forward and the default settings should be appropriate for most of the use cases.
 

Figure 1. Installation steps for ADMonitor

When the installation is finished you will find an icon on the desktop and a menu entry in your Windows Start -> Programs section.

Figure 2. Start menu entry for the Syneto ADMonitor

The Syneto ADMonitor consists of 2 parts:

• a grafical interface for setup and monitoring (this is what you see when you run the program from Figure 2.)
• a windows service application, this is the part which effectively listens for login events and communicates with the Syneto Appliance. If the service is not running, no events are caught and no rules are applied on the Syneto Appliance

Let’s start the ADMonitor interface and configure it. When you first start it it should look like in Figure 3: the service is stopped, ip is set to 127.0.0.1 and you see an obvious communication error message.
 

Figure 3. ADMonitor at first run

Let’s fill in the 2 required parameters:

Syneto appliance IP - the IP address of the Syneto Appliance

Kerberos ticket lifetime - this must be set to the same value as in your AD Server’s configuration for Kerberos TGT Lifetime (default is the same on both Windows Server 2003 and 2008 and Syneto WCF Agent – 600minutes). It is important that this value is always in sync with the server, because AD client computers also know this and they are refreshing their Kerberos TGT based on this. For example, if you set here a smaller value than on the server, the Syneto WCF Agent may expire (logoff) the accounts from the Syneto Appliance before the clients update their TGT.
 

Figure 4. ADMonitor after configuration and after the appliance was also configured.

NOTE: Because of a bug in MacOS X 10.6, these clients will not renew their TGT key at expiration. If a key expires the user must perform an authentication process (ie. lock/unluck workstation, logout/login, go to system preferences where he is asked for a password, etc.). Previous version of MacOS should not have this problem.

Finally, note that the ADMonitor must be running before users log in, so that the Kerberos TGT granting is caught. If you have already logged in users, they must lock their workstations and authenticate again or perform a logout/logon process.

At this point all your configuration on the Active Directory server are done, but before the ADMonitor will report communication status “OK” you have to configure the Appliance also. Starting and running the ADMonitor service is independent of the Appliance and it will try to communicate with it regardless of the status of the Active Directory integration on the Appliance. If the service can not communicate with the appliance it will retry indefinitely or until the service is stopped / restarted.

There are 2 other tabs in the ADMonitor interface:

• View Logs – you can view the last 500 lines of logs the ADMonitor wrote. These logs may help you figure out different problems or monitor user login / expire events. If the last 500 lines are not enough, you can click on the link in the bottom right corner of the window which will bring up the system’s Event Viewer.

Figure 5. View logs in ADMonitor

• View connected users – allows you to see the list of users known to be connected by ADMonitor. Remember, only users authenticated after the service was started will show up here. Use the refresh button to refresh the screen.

Figure 6. ADMonitor Connected Users

The last step in Active Directory integration setup is to configure the Syneto Appliance. To do this go to the same Web -> Content Filter settings menu.
 

Figure 1. Web Content Filter settings menu

On the Content Filter settings page select the “Active Directory integration” tab.
 

Figure 2. Active Directory integration page with no parameters configured

Before you can activate the integration service you have to fill in the necessary parameters. For a simple network and setup the following items are required:

• Domain name – the name of your Active Directory domain
• Server IP – the IP of you main Active Directory server. The Appliance will use this IP as the primary one to synchronize the AD groups and users with this server
• Username – a username with enough rights to query the server’s LDAP tree for groups and user
• Password – the password for the above user

Figure 3. Active Directory integration with basic settings

In a more complex environment you have 2 extra options to optimize the integration:

• Use custom base DN – by default this value will be filled with the root of the LDAP tree and you can specify any sublevel (OU) of your tree to start the groups and users queries
• Use additinal Domain Controllers – here you can specify the IP addresses of any number of additional Active Directory servers you have on your network for the configured Domain name. The Syneto Appliance will allow connection from the ADMonitors installed on these servers in addition to the server configured above. These servers will also be used as fallback if user synchronization fails with the primary AD Server.

Figure 4. Active Directory integration with additional options

Under the Server details there is a “Test connection” link you can click to easily verify the data you filled in in the fields. If everything checks out you may click “Ok” to save and apply the settings.

Now that you have the settings, start the integration service by clicking the “Enable” button in the “Activate” section.

As you can observe at the bottom of the page there is a message saying that the Appliance was never synchronized with the Active Directory server. You can click the “Synchronize now” button to get the list of groups and users from the server or wait for an automatic synchronization which happens every 5 minutes.

Figure 5. Synchronized groups and users

Finally you can review the list of groups and users synchronized with the Active Directory server.

The Active Directory integration configuration is now complete. In the next section we will explain how to associate Active Directory groups with Profiles on the Syneto Appliance.

Export certificate from Windows 2008

Follow these steps on the Active Directory Server:

• Open Management Console: Start -> Run… -> type “mmc” -> OK
• Add the Certificates snap-in: File -> Add/Remove Snap-in -> Certificates -> “Add >” -> Computer Accoung -> Local Computer -> Finish -> OK
• On the left pane expand: Console Root -> Certificates -> Personal -> Certificates
• Select the certificate associated with your domain, the one having your domain name and with “Intended Purpose” = <All>
• On the right pane select: <your_domain> -> More Actions -> All Tasks -> Export…
• Complete the Certificate Export Wizard: Next -> Yes, export the private key -> Personal Information Exchange – PKS #12 (.PFX) -> leave unchecked all the subcategories -> Next -> Enter a password -> Re-enter password -> Next -> Browse -> Give a name to your certificate file (ie. “ad-utm”) -> Save -> Next -> Finish -> Click OK on the “The export was successful” message window

Import certificate into the UTM

Import the recently exported certificate  into the Syneto Appliance. 

• Go to System -> X509 certificates -> Imported certificates
• Fill in the required information:

Import Name – a name for you certificate, ie. “adutm”

Import Type – “External Certificate (pk12)”

Choose Certificate – click on Choose… and select the exported certificate

Password – type in the password you used to export the certificate

• Click “Import Certificate” 
• Observe the certificate in the list of imported certificates

Configure SSL for AD integration

Enable use of SSL for Active Directory Integration on the Syneto Appliance:

• Go to Web -> Content filter settings
• Select “Active directory integration” tab
• Check “The server requires SSL encryption”
• Select the imported certificate from the droptdown.
• Make sure all other settings are correctly filled in as described in the previous article.

This article will explain how to associate Profiles on the Appliance with Active Directory groups. If you need more assistance with Profiles see chapter “Web Content Filtering“.

Now that we have our integration in place and the Appliance knows about the groups and users on the Active Directory, we are just one step away from using this information with our Profiles from web content filtering. Go to Web -> Content Filter profiles menu and create a new profile or edit an existing one.

Figure 1. Associate a profile with AD groups

As you can observe several Active Directory groups can be associated with on Profile, but no more than one profile can be associated to an AD group. When you create another profile you will not see the AD groups already associated with other profiles.

Recommendation: Syneto recommends creating and using dedicated groups on the Active Directory for the Web Content filter.

After the profile is created you set it up in the exact same way as described in chapter “Web Content Filtering“

Figure 2. The new “Developers” profile appears just like any other profile

Figure 3. Configuring a profile associated with an Active Directory domain is exactly the same as with other profiles.