This article explains how to configure the settings and permissions in a Windows server to allow the PoPs in the Cato Cloud to integrate with the Active Directory Domain Controller.
Note
Notes:
-
The screenshots and procedures in this article are based on Windows Server 2016. The details may be different for other versions.
-
If you need more information about Cato's IP address for the LDAP service, see Resolving Issues with LDAP Sync (you must be logged in to the Cato Knowledge Base to view this article).
Create a dedicated domain user for the integration between your Cato account and the AD domain.
These are the AD password requirements for this user:
-
The password never expires
-
Disable the setting that forces the user to change the password for the initial login
To create a user for Directory Services:
-
Create a new domain user (this user is only used for Cato Directory Services).
-
In the Member Of tab, make sure that the user is a member of the Domain Users group.
-
Add the user to the following groups:
-
Distributed COM Users
-
Event Log Readers
-
-
Click OK to create the user.
Configure these Distributed COM (DCOM) settings on the Windows server to allow the PoPs in the Cato Cloud to remotely communicate with the domain. These are the DCOM settings that you need to configure:
-
Windows services
-
DCOM properties and protocols
-
COM security permissions
Start the Server, Remote Registry, and WMI Performance Adapter Windows services and configure them to automatically startup with the Windows server.
Note
Note: The WMI Performance Adapter service is called WMI on other versions of Windows server.
To enable the Windows services:
-
From the Run menu, enter services.msc and click OK.
-
In the Services window, verify that each of the services Server, Remote Registry, WMI Performance Adapter are started and set for automatic startup.
-
To change a service property, right-click on the service name, and then click Properties.
-
For Startup type, select Automatic.
-
If the service status has not started, click Start.
-
-
Click OK and close the Services window.
The DCOM properties define the Authentication and the Impersonation Level for the server. Configure the server Authentication Level to Connect, which means that the session key is only used for the authentication handshake.
Set the Impersonation Level to Identify, to allow the PoPs to only access the user data that is relevant to Cato Directory Services.
The DCOM Protocol Sequence for the server defines how the server communicates over the network. Directory Services uses the connection-oriented TCP/IP protocol.
To configure DCOM for Directory Services:
-
From the Run menu enter dcomcnfg and click OK. The Components Services window opens.
-
From Component Services > Computers > My Computer, right-click My Computer and select Properties. The My Computer Properties window opens.
-
Configure the DCOM communication properties for the Windows server:
-
In the My Computer Properties window, select the Default Properties tab.
-
Select Enable Distributed COM on this computer.
-
From Default Authentication Level, select Connect.
-
From Default Impersonation Level, select Identify.
-
-
Make sure that the DCOM protocols includes Connection-oriented TCP/IP.
-
Click the Default Protocols tab. If the DCOM Protocols includes Connection-oriented TCP/IP, continue with step 6 below.
-
Click Add. The Select DCOM protocol window opens.
-
From Protocol Sequence, select Connection-oriented TCP/IP.
-
Click OK to close the Select DCOM protocol window.
-
-
Click OK.
-
A message notifies you about to change the DCOM Machine wide settings. Click Yes to continue.
In the Components Services window (dcomcnfg), configure the COM security Access Permissions and Launch and Activity Permissions to give the PoPs default access to:
-
Distributed COM Users
-
Event Log Readers
To configure the COM Security permissions for Directory Services:
-
If necessary open the My Computer Properties window, from Component Services > Computers > My Computer, right-click My Computer and select Properties.
-
Click the COM Security tab.
-
Configure the default access permissions for the distributed COM users and the event log readers:
-
In Access Permissions, click Edit Default.
-
Under Group or user names, add and configure Distributed COM Users with the following permissions:
-
Local Access - Allow
-
Remote Access - Allow
-
-
Repeat the previous two steps for the Event Log Readers group.
-
Click OK.
-
-
Configure the launch permissions for the distributed COM users and the event log readers:
-
In Launch and Activation Permissions, click Edit Default.
-
Under Group or user names, add and configure Distributed COM Users with the following permissions:
-
Remote Launch - Allow
-
Remote Activation - Allow
-
-
Repeat the previous two steps for the Event Log Readers group.
-
Click OK.
-
-
Click OK and close the My Computer Properties and the Component Services window. The COM security permissions are configured.
This section discusses how to configure the WMI permissions to allow Cato User Awareness to send WMI queries from the PoPs to the Windows server.
To connect to a remote computer using WMI, make sure that the correct DCOM settings and WMI namespace security settings are enabled for the connection.
For more about how to configure the WMI settings to allow connections from the Cato Management Application, see the Microsoft documentation.
The user or group that you configured for DCOM access must also have WMI permission to access the Windows event logs that give Cato access to the login events for the AD users. Configure WMI to allow remote access for Distributed COM Users and Event Log Readers.
To configure WMI user access settings:
-
From the Run menu, enter wmimgmt.msc and click OK. The Windows Management Instrumentation window opens.
-
Right-click on WMI Control (Local) and select Properties. The WMI Control (Local) Properties window opens.
-
Select the Security tab. The Namespace menu tree appears.
-
Expand the Root branch and click CIMV2.
-
Click Security below the menu tree. The Security for ROOT\CIMV2 window opens.
-
Configure the launch permissions for the distributed COM users and the event log readers
-
Under Group or user names, add and configure Distributed COM Users with the following permissions:
-
Enable Account - Allow
-
Remote Enable - Allow
-
-
Repeat the previous step for Event Log Readers.
-
-
Configure the advanced settings for the distributed COM users:
-
Select Distributed COM Users and click Advanced. The Advanced Security Settings for CIMV2 window opens.
-
In the Principal column, select Distributed COM Users and click Edit. The Permission Entry for CIMV2 window opens.
-
In the Applies to drop-down menu, select This namespace and subnamespaces.
-
-
Click OK. Close the Advanced Security Settings for CIMV2 window.
-
Configure the advanced settings for the event log readers:
-
Select Event Log Readers and click Advanced.
The Advanced Security Settings for CIMV2 window opens.
-
In the Principal column, select Event Log Readers and click Edit. The Permission Entry for CIMV2 window opens.
-
In the Applies to drop-down menu, select This namespace and subnamespaces.
-
-
Click OK to close the Advanced Security Settings for CIMV2 window.
-
Click OK to close the Security for ROOT\CIMV2, and the WMI Control (Local) Properties window.
The WMI user access settings are configured.
Edit the Windows registry to give read permissions for distributed COM users and event log readers.
To configure the registry permissions for the WMI controller:
-
Run Regedit.
-
Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\
Services\Eventlog\Security
-
Right-click the Security folder and select Permissions.
-
Add and configure these groups with Read permissions:
-
Distributed COM Users
-
Event Log Readers
-
-
Click OK.
Since the connection to the DC uses a source IP in Cato’s system range, if you are using an IPsec tunnel to connect to Cato Socket, you must configure Phase 2 for the Cato system range: 10.254.254.12.
For accounts that use a custom system range instead of the default one, use the custom range to calculate the fixed IP address for User Awareness sync based. The fixed IP address is the 9th in the custom range. For example, if the custom reserved range is 10.10.10.0/16, then the fixed IP address is 10.10.10.9.
For accounts that use a smaller IP range, they still use the 9th in the custom range. For example, if the custom reserved range is 10.200.200.64/28, then the fixed IP address is 10.200.200.73 (10.200.200.64 + x.x.x.9).
Configure the Windows or third-party firewall to allow access for the fixed IP address for the system range (or for a custom range). For more about system and custom ranges, see above Configuring a WMI Controller with an IPsec Tunnel.
-
If you are using a Windows firewall, you must add an exception that allows DCOM communications
-
If you are using a third-party firewall between the Windows Server and the Cato Network, add the same exception to it
To configure the Windows firewall to permit DCOM communications:
-
Open the Run menu.
-
Type wf.msc and click OK.
-
Select Inbound Rules.
-
In the Action menu, select New Rule. The New Inbound Rule Wizard opens.
-
Select Custom and click Next. The Program window opens.
-
Select All programs, and click Next. The Protocol and Ports window opens.
-
For Protocol type, select TCP and click Next. The Scope window opens.
-
For Which remote IP addresses does this rule apply to, select the These IP addresses option.
-
Click Add. In This IP address or subnet, enter the fixed IP address for the system range: 10.254.254.12.
-
If you are using a custom range, see enter the fixed IP address for your range.
-
-
Click OK and then click Next. The Action window opens.
-
Select Allow the connection and click Next. The Profile window opens.
-
Select one or more network profiles to which the rule applies and click Next. The Name window opens.
-
Enter the Name for the firewall rule, and then click Finish.
3 comments
Caleb calebl Added a link to this article that includes the IP address for Cato's LDAP service (you must be logged in to the Cato Knowledge Base to view the article). Thanks!
Hello, The link for Resolving Issues with LDAP Sync resolves to a page that does not exist.
Thanks Khaled Issa The link has been updated
Please sign in to leave a comment.