You are on page 1of 17

ADS Integration Guide

Document version 9402 -1.0-18/10/2006


Cyberoam – ADS Integration Guide

IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without
warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore
assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make
changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE
The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please
read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the
terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance
and manual (with proof of payment) to the place of purchase for a full refund.

LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which
the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software
substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited
warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore
and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the
software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore
warrant that the Software is error free, or that the customer will be able to operate the software without problems or
interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the
performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the
Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected
by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical
components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole
obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware
need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any
part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all
material respects to the defective Hardware.

DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without
limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of
dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential,
incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to
use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall
Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the
price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including,
without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or
its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS
Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore
Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of
printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore
Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to
change without notice

CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower,
Off. C.G. Road,
Ahmedabad – 380015, INDIA
Phone: +91-79-26405600
Fax: +91-79-26407640
Web site: www.elitecore.com , www.cyberoam.com
Cyberoam – ADS Integration Guide

Guide Sets
Guide Describes
User Guide
Console Guide Console Management
Windows Client Guide Installation & configuration of Cyberoam
Windows Client
Linux Client Guide Installation & configuration of Cyberoam Linux
Client
HTTP Client Guide Installation & configuration of Cyberoam HTTP
Client
Analytical Tool Guide Using the Analytical tool for diagnosing and
troubleshooting common problems
LDAP Integration Guide Configuration for integrating LDAP with
Cyberoam for external authentication
ADS Integration Guide Configuration for integrating ADS with
Cyberoam for external authentication
PDC Integration Guide Configuration for integrating PDC with
Cyberoam for authentication
RADIUS Integration Guide Configuration for integrating RADIUS with
Cyberoam for external authentication
High Availability Configuration Configuration of High Availability (HA)
Guide
Data transfer Management Guide Configuration and Management of user based
data transfer policy
Multi Link Manager User Guide Configuration of Multiple Gateways, load
balancing and failover
VPN Management Implementing and managing VPN
Cyberoam IDP Implementation Configuring, implementing and managing
Guide Intrusion Detection and Prevention
Cyberoam Anti Virus Configuring and implementing anti virus solution
Implementation Guide
Cyberoam Anti Spam Configuring and implementing anti spam
Implementation Guide solution
Cyberoam – ADS Integration Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:

Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-26405600
Fax: +91-79-26407640
Web site: www.elitecore.com

Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.


Cyberoam – ADS Integration Guide

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example


Server Machine where Cyberoam Software - Server component is
installed
Client Machine where Cyberoam Software - Client component is
installed
User The end user
Username Username uniquely identifies the user of the system
Part titles Bold and

Report
shaded font
typefaces

Topic titles Shaded font

Introduction
typefaces

Subtitles Bold & Black


typefaces Notation conventions

Navigation link Bold typeface Group Management → Groups → Create


it means, to open the required page click on Group
management then on Groups and finally click Create tab

Name of a Lowercase Enter policy name, replace policy name with the specific
particular italic type name of a policy
parameter / Or
field / command Click Name to select where Name denotes command button
button text text which is to be clicked
Cross Hyperlink in refer to Customizing User database Clicking on the link will
references different color open the particular topic

Notes & points Bold typeface Note


to remember between the
black borders
Prerequisites Bold typefaces Prerequisite
between the Prerequisite details
black borders
Cyberoam – ADS Integration Guide

Overview
Welcome to the Cyberoam’s - ADS Integration Guide.

Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the


security needs of corporates, government organizations, and educational institutions.

Cyberoam’s perfect blend of best-of-breed solutions includes User based Firewall, Content
filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN.

Cyberoam provides increased LAN security by providing separate port for connecting to the
publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are
visible the external world and still have firewall protection.

Once you have installed and placed Cyberoam, default policy is automatically applied which will
allow complete network traffic to pass through Cyberoam. This will allow you to monitor user
activity in your Network based on default policy.

As Cyberoam monitors and logs user activity based on IP address, all the reports are generated
based on IP address. To monitor and log user activities based on User names or logon names,
you have to configure Cyberoam for integrating user information and authentication process.
Integration will identify access request based on User names and generate reports based on
Usernames.

When the user attempts to access, Cyberoam requests a user name and password and
authenticates the user's credentials before giving access. User level authentication can be
performed using the local user database on the Cyberoam, an External ADS server, Windows
Domain Controller, or LDAP server.

To set up user database

1. Integrate ADS, Domain Controller or LDAP if external authentication is required.


If your Network uses Active Directory Services, configure Cyberoam to communicate your
ADS. Refer to ADS Integration for more details.

If your Network uses Windows Domain Controller, configure for Cyberoam to communicate
with Windows Domain Controller. Refer to PDC Integration for more details.

If your Network uses LDAP, configure for Cyberoam to communicate with LDAP server. Refer
to LDAP Integration for more details.

If your Network uses RADIUS server, configure for Cyberoam to communicate with RADIUS
server. Refer to RADIUS Integration Guide for more details.

2. Configure for local authentication.


3. Register user

Introduction to ADS
Using Active Directory maximizes accuracy in identifying users as it identifies users in a realtime
manner, as they log on to domains. This enables Cyberoam to accurately filter Internet access
based on policies assigned to particular users or groups.
Cyberoam – ADS Integration Guide

Cyberoam – ADS integration feature allows Cyberoam to map the users and groups from ADS for
the purpose of authentication. This enables Cyberoam to transparently identify the network users.
Cyberoam communicates with Windows Directory Services – Active directory (AD) to authenticate
user based on groups, domains and origanizational units.

Whenever the exisiting user(s) in ADS logs on for the first time after configuration, user gets
automatically created in Cyberoam and is assigned to the default group. If the Groups are already
created in Cyberoam, User(s) will be created in the respective Groups i.e. the ADS User Groups
will be mapped to Cyberoam User Groups. In case user is already created and there is change in
expiry date or group name, user will be logged in with the changes.

Administrator’s task is just to configure Cyberoam to communicate with ADS.

ADS Authentication Process


User has to be authenticated by Cyberoam before accessing any resources controlled by
Cyberoam.

This authentication mechanism allows Users to access using their Windows authentication tokens
(login/user name and password) in the Windows-based directory services.

User sends the log on request/user authentication request to ADS and ADS authenticates user
against the directory objects created in ADS. Once the user is authenticated, Cyberoam
communicates with ADS to get the additional authorization data such as user name, password
,user groups and expiry date as per the configuration and is used to control the access.

Note
If the ADS is down then the authentication request will always return ‘Wrong username/password’
message

It is necessary to have shared NETLOGON directory on ADS with the following permissions:
Read, Read & Execute, List Folder Contents

Note

It is possible to authenticate Users of multiple ADS servers and multiple domains


Cyberoam – ADS Integration Guide

Configuring for ADS Integration


For configuring Cyberoam to communicate with ADS, it is necessary to locate an Active Directory
server (domain controller) for logging on to a domain and then finding the information that you
need in Active Directory. Both processes use name resolution. Domain controller can be found by
using DNS names or Network Basic Input/Output System (NetBIOS) names. When locating a
domain controller, the Domain Name System (DNS) resolves a domain name or computer name to
an Internet Protocol (IP) address.

Every domain controller registers two types of names at startup:


4. A DNS domain name with the DNS service and IP Address
5. A NetBIOS name

It is possible that registered DNS domain name and NetBIOS name are different.

When a user logs on to a domain, the computer must do one of two things:
1. If the name of the logon domain is a DNS name, query is placed to DNS to find a domain
controller with which to authenticate.
2. If the name of the logon domain is a NetBIOS name, the computer finds a domain
controller for the specified domain.

For this ensure that Users can connect to domain controller in your network. Connections to the
domain controllers are enabled automatically during the Active Directory setup. Verify the
connection from User machine using ping or a similar utility.

Select User Æ Authentication Settings to open configuration page


Cyberoam – ADS Integration Guide

Screen – ADS Integration

Screen Elements Description


Configure Authentication & Integration parameters
Integrate with Select Active directory as authentication server

Cyberoam dynamically maps active directory


groups to respective Cyberoam groups on each
logon.
Default Group Allows to select default group for users

Click Default Group list to select


Update button Updates and saves the configuration
Add button Allows to add ADS server

Refer Add ADS Server for details


Table – ADS Integration screen elements
Cyberoam – ADS Integration User Guide Add ADS Server

Add ADS Server

Screen – ADS Server configuration

Screen Elements Description


Add ADS Server Details
ADS Server IP Specify ADS Server IP Address
Port Specify Port number over which ADS Server will
communicate

Default port is 389


NetBIOS Domain Specify NetBIOS Domain name
ADS Username Specify Administrator Username
Password Specify Password of Administrator Username
Test Connection button Allows to check the connectivity of Cyberoam with
ADS server

Click to check
Add button Saves the server configuration and allows to add
the Domain query for name resolution and
authentication

Click Add to add the domain query

Refer to Add Domain Query for more details


Cancel button Cancels the current operation
Table – ADS Server configuration screen elements
Cyberoam – ADS Integration User Guide Add Domain Query

Add Domain Query

Screen – Domain Query


Cyberoam – ADS Integration User Guide Add Domain Query

Screen Elements Description


Domain Details
Domain Name Domain name to which the query is to be added
Search DN Displays list of queries

List order indicates preference of query for the name resolution. If more
than one query exists, query will be resolved according to the order
specified.
Add button Allows to add the query

Click to add
Opens a Search query dialog box and allows to enter the name
resolution query

Refer to How to build a Search DN Query for details

Click OK to save
Click Cancel to cancel the current operation
Remove button Allows to remove the query

Click the query to be removed


Click to remove
Move Up button Changes the order of query when more than one query is defined

Moves the selected query one step up

Click query which is to be moved up


Click MoveUp
Move down button Changes the order of query when more than one query is defined

Moves the selected query one step down

Click query which is to be moved down


Click MoveUp
Save button Saves the configuration

Click to save
Cancel button Cancels the current operation
Table – Domain Query screen elements

How to build Search DN Query


To search for the user in Active Directory, DN Query is placed. Query contains 3 components:
domain component (dc), organizational unit (ou), common name (cn). For example, when for fully
qualified domain name cyberoam.elitecore.com, user is created under ou ‘support’ and cn
‘administrator’ the query is written as:

cn=administrator,ou=support, dc=cyberoam, dc=elitecore, dc=com


Cyberoam – ADS Integration User Guide Single Sign on Client Configuration

Connectivity check
Connection to ADS is enabled automatically during Active Directory setup, but as ADS server is
used for authenticating users it is necessary to check whether Cyberoam is able to connect to ADS
or not.

Connectivity can be checked:


1. At the time of adding ADS server details or
2. After adding ADS server details
Select User Æ External Authentication and click ADS Server IP which is to tested for
connection. Click Test Connection button.
Cyberoam – ADS Integration User Guide Single Sign on Client Configuration

Single Sign on Client Configuration


If user is configured for Single sign on, whenever User logs on to Windows, user is automatically
logged to the Cyberoam also.

Single sign on provides password synchronization for Windows users using Active Directory
services and Cyberoam. i.e. if the user is configured for Single sign on, whenever User logs on to
Windows, user is automatically logged to Cyberoam also.

This will also enable Users to check their My Account using their windows password.

Follow the procedure to configure for Single Sign on login utility and ADS authentication.

Step 1 Download the Cyberoam Single Sign on client as shown in the below screen shot and save
SSCyberoam.exe to the NETLOGON scripts directory on the domain controller or as per your
configuration. The logon scripts contain the configuration parameters for the initial user
environment.
The default location of NETLOGON directory is as given below:

Server OS NETLOGON default location


Windows 2000 %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts
Windows 2003 %SYSTEMROOT%/SYSVOL/sysvol/%USERDNSDOMAIN%/Scripts
Table - Default NETLOGON directory location
Cyberoam – ADS Integration User Guide Single Sign on Client Configuration

Screen - Download Single sign on Client

Go to step 2 if logon scripts for the Users are already created


Go to step 3 if logon scripts for the Users are not created

Ok, Step 2 If the logon scripts are already created, then Update them. Edit the logon script
using any of the available Editors like Notepad and add the following line in the script and save the
script:

start \\ADS MachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server


Domain
E.g., start \\adsmachinename\netlogon\SSCyberoam.exe 192.168.1.100 elitecore
Whenever the User tries to logon in Windows, the logon script will be executed. The above
statement in logon script executes the Cyberoam logon program with the Windows Username and
automatically logs in User to the Cyberoam.

Step 3 If the logon scripts are not created


Create a new script - “defaultlogonscript.bat” using any of the available Editor like Notepad
Add line
start \\ADSMachineName\netlogon\SSCyberoam.exe IP address of the Cyberoam Server
Domain
E.g., start \\adsmachine\netlogon\SSCyberoam.exe 192.168.1.100 elitecore

Copy the script - “defaultlogonscript.bat” to NETLOGON scripts directory. Refer to step 1 to find
location of the NETLOGON scripts directory

Download Logon Script Updation Utility as shown in the below screen shot and save the script as
“updatelogonscript.bat” in the root directory of the server

Open the command prompt


Cyberoam – ADS Integration User Guide Single Sign on Client Configuration

Screen - Download User Logon Script Updation utility

Execute “updatelogonscript.bat” at the command prompt as follows:


updatelogonscript.bat defaultlogonscript.bat
This will update/add the logon script of the Users in the domain to defaultlogonscript.bat

Whenever the User tries to logon in Windows, the script “defaultlogonscript.bat” will be executed
which in turn executes the Cyberoam logon program with the Windows Username and
automatically logs in User to the Cyberoam.

If the User has logged in successfully using Single Sign on utility, then (S) will be shown next to
the Username e.g. Joe (S) in the Live User list

Logging to Cyberoam using Client exe/http client


Diagram shows authentication process when user tries to log on to Cyberoam using Client exe or
http client. Refer to Cyberoam User Guide for details on downloading the clients.
Cyberoam – ADS Integration User Guide Single Sign on Client Configuration

Note
1. If Cyberoam is configured for multiple Domains then at the time of login, user has to provide full
username i.e <username>@<domainname>

2. If Cyberoam is configured for single Domain then at the time of login, user can provide only the
username. Cyberoam will append the domain if not provided.

3. If the user is not found in ADS then the message ‘Not able to authenticate’ will be displayed

4. If user is already logged in at the time of updations of expiry date and/or group then the changes will
be reflected only at the next login

Some Exception Conditions

1. Logon script will not execute if ADS is down and User will not be able to log on to Cyberoam and
Internet access will not be available

Once ADS is up, Users will have to re-logon

2. If Cyberoam is down or not reachable, the Cyberoam Single Sign client will continuously try to logon,
and as soon as it is up Internet access will be available

ADS authentication is an optional method for users to log in to Cyber am. Using ADS enables you
to have central configuration for user account.