In this article, we will explain and demonstrate how to configure your Cato account to work with Active Directory (LDAP integration). The feature will allow you to fetch the users and add them automatically to the Cato Management Application. It will NOT authenticate to the AD server.
The sync has two main options:
1. Syncing with a local AD server
2. Syncing with an external AD server
How to sync a local AD server (server behind a Cato site):
-
Add the AD server to the Hosts screen for the site.
-
From the navigation menu, select Network > Sites, and select the site.
-
From the navigation menu, select Site Configuration > Hosts.
-
Click New and enter the settings for the AD server.
-
Click Apply and then click Save.
-
-
Add a new domain to the LDAP services for the account.
-
From the navigation menu, click Access > Directory Services, and select the LDAP tab or section.
-
Click New, and configure the settings for the AD domain.
-
Click Save.
-
-
Add the AD server (from step 1) as a domain controller (DC) to the domain.
-
In the panel navigation section, click Domain Controllers.
-
In the top drop-down menu, select Host, and in the next drop-down menu, select the host from step 1.
-
Click Save.
-
-
Select the AD groups for SDP users and for User Awareness that you are syncing to your Cato account.
Note
Note:
- If no groups are selected, then all AD groups are imported for User Awareness
- Nested groups are synced if you select the parent group
- The User Principal Name (UPN) AD parameter must be configured for a user to be identified by User Awareness
-
In the panel navigation section, click User Groups.
-
Select the AD groups that your are syncing for SDP users and User Awareness.
Note
Note: Capitalization matters when importing organizational units from Active Directory. ExampleGroup will be treated differently from EXAMPLEGROUP.
If you change the name of the OUs within Active Directory, please ensure that you also change the selected OUs within the Cato Management Application.
-
Select Daily Sync SDP User Groups to enable automatically syncing the groups and SDP users each day.
-
Click Save and Close.
-
In the Directory Services screen, click Sync Now.
If you need to sync an external AD server, then you can perform the same procedure as above.
-
If your Domain Controller is behind an IPsec connection or if you are routing only some subnets to the Socket, be sure to include the IP address of the Cato Management Application in your VPN tunnel routing configuration. Traffic from and to this IP should be routed via the Cato tunnel.
- Please contact Support to receive the IP address of the Cato Management Application
-
When the UPN and/or email address of an LDAP SDP user has been changed in the AD, the status of the affected LDAP SDP user remains unchanged in the Cato Management Application.
-
When syncing the Azure AD, both the Member and Guest user types are synchronized.
-
Make sure that the first and last names are configured for AD users. Otherwise, users missing a first or last name are NOT synced to your Cato account.
3 comments
The SYNC button is no longer there. Guide needs updating with the correct steps. CC2 portal is new.
New SYNC option is as below:
If you are configuring the LDAP connection string be sure to put double quotes around fields with spaces, i.e. CN="Admin and Service Accounts"
Also, imported username are not the samAccount, uid, or cn fields. I expected "christopherbradski" to be used as the login field but in fact was "Christopher Bradski"...
Christopher, thank you for your comment.
1. Double quotes are not required for LDAP connection string with spaces.
2. The login is displayed as [FIRST_NAME LAST_NAME], that is the reason you see the full name.
Please sign in to leave a comment.