Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Active Directory

 

Use the Create Active Directory Profile page to configure the IP address-to-user mapping information and the user-to-group mapping information to access the LDAP server.

  1. Select Configure>Security>User Firewall>Active Directory in the J-Web user interface.
  2. Click Create Active Directory.
  3. Complete the configuration by using the guidelines in Table 233.
  4. Click Finish.

    A Summary page providing a preview of the complete configuration.

    You can edit or delete the configuration by clicking the Edit icon (/) or Delete Icon (X).

Table 233: Active Directory Configuration Options

Field

Function

General Information

On Demand Probe

Enable the manual on-demand probing of a domain PC as an alternate method for the SRX Series device to retrieve address-to-user mapping information.

Timeout

Authentication Entry Timeout

Set the timeout to 0 to avoid having the user's entry being removed from the authentication table after the timeout.

Note that when a user is no longer active, a timer is started for that user’s entry in the Active Directory authentication table. When the time is up, the user’s entry is removed from the table. Entries in the table remain active as long as there are sessions associated with the entry.

The default authentication entry timeout is thirty minutes. To disable timeout, set the interval to zero. The range is 10 through 1440 minutes.

WMI Timeout

Configure the number of seconds that the domain PC has to respond to the SRX Series device’s query through Windows Management Instrumentation (WMI) or Distributed Component Object Module (DCOM).

If no response is received from the domain PC within the wmi-timeoutinterval, the probe fails and the system either creates an invalid authentication entry or updates the existing authentication entry as invalid. If an authentication table entry already exists for the probed IP address, and no response is received from the domain PC within the wmi-timeout interval, the probe fails and that entry is deleted from the table.

The range is 3 through 120 seconds.

Invalid Authentication Entry Timeout

When a user is no longer active, a timer is started for that user’s entry in the Active Directory authentication table. When the time is up, the user’s entry is removed from the table.

If this value is not configured, all the invalid auth entry from Active Directory will use the default value as 30 minutes.

The range is 10 through 1440 minutes.

Firewall Authentication Forced Timeout

This is the firewall authentication fallback time. Set the timeout to 0 to avoid having the user's entry being removed from the authentication table after the timeout.

The range is 10 through 1440 minutes.

Filter

Filter

Set the range of IP addresses that must be monitored or not monitored.

  • Include—Specify to include IP addresses from the Available column.

  • Exclude—Specify to exclude IP addresses from the Available column.

Click the Add icon (+) to create a new IP address and add it as either include or exclude from monitoring.

Click the Delete icon (X) to delete a new IP address and add it as either include or exclude from monitoring.

Domain Settings

Domain

The Add Domain Settings page appears.

Enter the name of the domain, username, and password.

The username and password are the Active Directory account name and password.

The range for the username is 1 through 64 characters. Example: admin

The range for the password is 1 through 128 characters. Example: A$BC123

Domain Controller(s)

Click the add icon (+) to add domain controller settings.

  • Domain Controller Name— Name can range from 1 through 64 characters. A maximum of 10 domain controllers can be configured.

  • IP Address—IP address of the domain controller.

Example: example.net

User Group Mapping (LDAP)

IP Address

Specify the IP address of the LDAP server. If no address is specified, the system uses one of the configured Active Directory domain controllers.

Example: 192.0.2.16

Port

Specify the port number of the LDAP server. If no port number is specified, the system uses port 389 for plaintext or port 636 for encrypted text.

Base DN

Enter the LDAP base distinguished name (DN).

Example: DC=example,DC=net

Username

Enter the username of the LDAP account. If no username is specified, the system will use the configured domain controller’s username.

Password

Enter the password for the account. If no password is specified, the system uses the configured domain controller’s password.

Use SSL

Enable Secure Sockets Layer (SSL) to ensure secure transmission with the LDAP server. Disabled by default, then the password is sent in plaintext.

Authentication Algorithm

Specify the algorithm used while the SRX Series device communicates with the LDAP server. By default simple is selected to configure simple(plaintext) authentication mode.

IP-User Mapping

Discovery Method

Enable the method of discovering IP address-to-user mappings.

WMI—Windows Management Instrumentation (WMI) is the discovery method used to access the domain controller.

Event Log Scanning Interval

Enter the scanning interval at which the SRX Series device scans the event log on the domain controller. The range is 5 through 60 seconds.

Initial Event Log TimeSpan

Enter the time of the earliest event log on the domain controller that the SRX Series device will initially scan. This scan applies to the initial deployment only. After WMIC and the user identification start working, the SRX Series device scans only the latest event log.

The range is 1 through 168 hours.