Creating Active Directory Profiles
Use the Create Active Directory Profile page to configure the IP address-to-user mapping information and the user-to-group mapping information to access the LDAP server.
To create an Active Directory profile:
Field |
Description |
---|---|
General Information |
|
Name |
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 255 characters. |
Description |
Enter a description for the Active Directory profile; maximum length is 255 characters. |
On Demand Probe |
Enable the manual on-demand probing of a domain PC as an alternate method for the SRX Series device to retrieve address-to-user mapping information. By default, the manual on-demand probing is not enabled. |
Timeout |
|
Authentication Entry Timeout |
Set the timeout to 0 to avoid having the user's entry being removed from the authentication table after the timeout. Note that when a user is no longer active, a timer is started for that user’s entry in the Active Directory authentication table. When the time is up, the user’s entry is removed from the table. Entries in the table remain active as long as there are sessions associated with the entry. The default authentication entry timeout is thirty minutes. To disable timeout, set the interval to zero. The range is 10 through 1440 minutes. |
WMI Timeout |
Configure the number of seconds that the domain PC has to respond to the SRX Series device’s query through Windows Management Instrumentation (WMI) or Distributed Component Object Module (DCOM). If no response is received from the domain PC within the The range is 3 through 120 seconds. |
Filter |
|
Filter |
Set the range of IP addresses that must be monitored or not monitored.
Click Add New Address to create a new IP address and add it as either include or exclude from monitoring. |
Add Domain Settings |
|
Domain Name |
Enter the name of the domain; the length of the name ranges from 1 through 64 characters. The SRX Series device can have the integrated user firewall configured in a maximum of two domains. Example: example.net |
Description |
Enter a description for the LDAP server domain; maximum length is 255 characters. |
Username |
Enter the Active Directory account name. The range is 1 through 64 characters. Example: administrator |
Password |
Enter the password of the Active Directory account. The range is 1 through 128 characters. Example: $ABC123 |
Domain Controller(s) |
Click the plus(+) sign to create new domain controllers.
|
User Group Mapping(LDAP) |
|
IP Address |
Specify the IP address of the LDAP server. If no address is specified, the system uses one of the configured Active Directory domain controllers. Example: 192.0.2.15 |
Port |
Specify the port number of the LDAP server. If no port number is specified, the system uses port 389 for plaintext or port 636 for encrypted text. |
Base DN |
Enter the LDAP base distinguished name (DN). Example: DC=example,DC=net |
Username |
Enter the username of the LDAP account. If no username is specified, the system will use the configured domain controller’s username. Example: administrator |
Password |
Enter the password for the account. If no password is specified, the system uses the configured domain controller’s password. Example: xxxxx |
Use SSL |
Enable Secure Sockets Layer (SSL) to ensure secure transmission with the LDAP server. Disabled by default, then the password is sent in plaintext. |
Authentication Algorithm |
Specify the algorithm used while the SRX Series device
communicates with the LDAP server. By default |
IP-User Mapping |
|
Discovery Method |
Enable the method of discovering IP address-to-user mappings.
|
Event Log Scanning Interval |
Enter the scanning interval at which the SRX Series device scans the event log on the domain controller. The range is 5 through 60 seconds. |
Initial Event Log TimeSpan |
Enter the time of the earliest event log on the domain controller that the SRX Series device will initially scan. This scan applies to the initial deployment only. After WMIC and the user identification start working, the SRX Series device scans only the latest event log. The range is 1 through 168 hours. |
Assign Device |
|
Device |
Select these devices from the Available column and move them to the Selected column. You can also search for the devices in the search field in both the Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag. |