This article provides an overview of using Directory Services to integrate your LDAP service (such as Active Directory) with your Cato account. It also discusses how User Awareness can help to identify users according to their LDAP settings (such as first and last name).
Cato Networks lets you integrate Active Directory (AD) with your account to make it easier to manage SDP users in your account.
-
The Directory Services feature helps to onboard and manage SDP users. Select the AD user groups that are synchronized with your account in the Cato Management Application.
-
User Awareness lets you easily identify the end-users in your network. In addition, use the Analytics features to show traffic and events according to the AD first and last name, host name and IP address.
Changes that are made in the AD, are with automatically synced with the Cato Management Application (at 12:00 am UTC daily), or on demand by the administrator.
For accounts that enable User Awareness, first you must configure Directory Services.
This section describes the end-to-end workflow to configure the Windows server to allow the PoPs to integrate for Directory Services and User Awareness. The steps to configure the WMI settings in section 1c are only for User Awareness. For accounts that are configuring only Directory Services, do not perform the steps in section 1c.
-
Prepare the Windows Server for Cato Directory Services and User Awareness. See Configuring the Windows Server for Directory Services.
-
Create a dedicated AD user that belongs to Distributed COM Users and Event Log Readers groups. The PoPs use this user to connect to the AD server.
-
Configure these Windows settings for Directory Services:
-
Windows services
-
DCOM settings
-
COM security permissions
-
-
(For User Awareness) Configure the WMI settings to allow the PoPs to query the user login events:
-
Configure the server to allow remote connections using WMI. (See the Microsoft documentation, Securing a Remote WMI Connection).
-
Configure the WMI user access settings.
-
Configure the WMI Controller registry permissions.
-
Configure the Windows firewall to allow DCOM communications.
-
-
-
Configure the Directory Service settings in the Cato Management Application. See Provisioning Users with LDAP.
-
Add the AD domain to the Directory Services for the account.
-
Add the Domain Controllers.
-
Define the AD groups that are synchronized, and the sync settings.
-
-
Configure the User Awareness settings in the Cato Management Application. See the User Awareness articles.
-
User Awareness with an AD server:
-
Add the AD domain to User Awareness.
-
Add the Real Time Sync Domain Controllers.
-
Define the AD groups that are participating in User Awareness.
-
-
User Awareness with the Cato Identity Agent:
-
Enable User Awareness Identity Agent for your account.
-
Install the Cato Client on the devices where you're identifying the users.
-
-
There are specific email notifications and events for Directory Services and User Awareness.
You can configure the Cato Management Application to send email notifications for Directory Service sync actions and connectivity status with the DC:
-
Syncing with the AD - success, failure, manual, or automatic
-
Connectivity failure with the DC - there is a connectivity issue between the Cato Management Application and the DC, and most likely impacts User Awareness
For more about configuring alerts, see Account Level Alerts and System Notifications.
The Event page shows all the Directory Services and User Awareness events for your account. You can learn more about using Cato events here.
0 comments
Please sign in to leave a comment.