Documente Academic
Documente Profesional
Documente Cultură
Soporte
Red de soporte global de expertos. A su servicio.
Necesita ayuda?
Realizarchatconunrepresentanteahora.
VOLVERALABASEDECONOCIMIENTOS
How do I configure Active Directory integration with the DC Agent on my Barracuda Web
Filter?
Solution#00002865
Scope:
AllBarracudaWebFilters,allfirmwareversions,allnetworksrunningWindows2003domaincontrollersand2003ActiveDirectoryshoulduse
version6.0.0.32.WhileDCAgentversions2.14to6.0alsosupportWindows2008domaincontrollers4.6fixedmemoryleakissuesandshouldnow
updatetothelatestavailableversionfromtheUIdownloadlink,DCAgentversions6.0andabovealsosupportWindows2012andshouldbe
updatedasneeded.Importantnote:Coreversionsarenotsupported.6.0agentsandupnowalsoneedActiveDirectorybindaccountinformation
configuredaswellastheWebFilter'sIPaddressconfiguredunderthe"Appliances"tab,locatedwithinDCAgentprogram.IfyourWebFilteronly
supportsupto4.5.xversionofWebFilterfirmwareyouwillneedtocontactsupport,sincethelastavailableversionisv4.3DCAgentonthe4.5Web
Filterfirmware.
Linkto6.0.0.032Agent:https://www.copy.com/s/C2gvFWqZnKUd/
Answer:
WhiletheBarracudaWebFiltercanbeintegratedwithanyLDAPorActiveDirectoryservers,theDCAgentmayonlybeusedwith
2003,2008,and2012versionsofActiveDirectory.TheDCAgentmustbeinstalledontoeachofyourdomaincontrollersthatwill
seeanylogineventfromyourusersinordertofunctionproperly.
!!IMPORTANT!!
Ifyouhaveonlyonedomain(ex.abc.com)youonlyneedoneauthenticationservicewhichusuallyistheprimarydomaincontroller
towhichyougiveanaliasduringsetupprocess.AlldomaincontrollersonnetworkmusthaveDCAgentinstalled,andbelinkedto
thatserveralias.
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 1/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos
Ifyouhavemultipledomains(ex.abc.comandxyz.com),eachdomainmustbelistedinauthenticationservicewithadifferentalias
foreachdomain,inthissetupyoualsojustneedeachdomain'sprimarydomaincontrollertobelistedasauthenticationserverfor
correspondingdomain(alias).AllinstalledDCAgentsmustbelinkedtothecorrespondingserveralias.
Inmultipledomainscenarioyouhaveanoptionto"AggregateActiveDirectoryDomains"whensettoYesthiswilllookatboth
domainsasiftheywereoneandthesamedomain.Thisisusefulincreatingexceptionswhenyouhavethesameuserthatbelongs
tobothdomains(ex.joe@abc.comandjoe@xyz.com),thenyoucancreateanexceptionusingthefirstserveraliasinthe
authenticationlist,andexceptionwillapplytouserinbothdomains.
IfyouselectNoto"AggregateActiveDirectoryDomains"eachdomainwillbetreatedseparately,andexceptionswillneedtobe
createdonperdomainbasis.
InstallingtheDCAgentonyournetworkwillallowtheBarracudaWebFiltertoassociateoutgoingwebrequestswithActive
Directoryusers,logtheiractivity,andapplyuserspecificorgroupspecificpoliciestooutgoingconnectionswithoutrequiringusers
tologintotheBarracudaWebFilter.
First,youwillneedtoconfiguretheBarracudaWebFiltertoworkwithyourActiveDirectoryserverontheUsers/Groups>
AuthenticationServicesorUsers/Groups>Authenticationpage.YouwillneedoneauthenticationserviceforeachActive
Directorydomain.ThispageletsyouspecifythelocationofyourLDAPserversoyourBarracudaWebFiltercan:
AuthenticateusersusingLDAP
AuthenticateusergroupmembershipusingLDAP
AllowyoutoassignexceptionpoliciestoLDAPusers.
NavigatetotheUsers/Groups>AuthenticationServicesorUsers/Groups>Authenticationpage,selecttheLDAPtab,andfill
outalloftheneededinformation:
LDAPServerTheIPaddressofyourLDAPorActiveDirectoryserver.
LDAPPortTheportusedbyyourLDAPorActiveDirectoryserver.Thedefaultisport389.
LDAPSearchBaseThebasedistinguishedname(DN)forthedirectory.Forexample,ifyourdomainis
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 2/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos
test.com,yourbaseDNmightbedc=test,dc=com.
BindDNThedistinguishedname(DN)ofauserinyourLDAPdirectorythathasreadaccesstoallthe
usersinLDAP.TheBarracudaWebFilterusesthedistinguishednametolookupusersintheLDAP
databasesotheuserscanbeassignedtoexceptionpoliciesanddisplayedontheUsers/Groups>
AccountsViewpage.
BindPasswordThepasswordfortheuseryouspecifiedintheBindDNfield.
UIDAttributeTheattributethatcontainstheuser'sID.ForActiveDirectory,itisrecommendedthatyou
usesAMAccountName.ForOpenLDAP,itisrecommendedthatyouuseuid.
TheBarracudaDCAgent7.1.xandhigherdoesnotsupportWindowsServer2003.IfyouarerunningWindowsServer2003,please
contactBarracudaTechnicalSupport.Otherwise,downloadtheBarracudaDCAgentfromtheUSERS/GROUPS>Authentication
pageoftheBarracudaWebFilterwebinterface.
DCAgent6.xand7.1.x
!!DCAgent5.0andbelow,pleasecontactBarracudaNetworksTechnicalSupport
Launchtheinstallationfile(DCAgent.exe)andfollowtheinstructionsinthewizard.
AftertheBarracudaDCAgentisinstalledandrunningcorrectly,launchtheapplicationandcompletethefollowingsteps.
Note:YourentriesintheDCAgentinterfacewillNOTbesaveduntilyouclicktheSavebutton.
1. DefinelocationandlogincredentialsforyourActiveDirectory.ClicktheActiveDirectoriestabandclickthegreen+signto
addadomain.
a.SelectLocalifyouinstalledtheDCAgentontheDomainControllerselectRemoteifyouinstalledonanothermachineon
thenetwork.
b.IfyouselectedRemote,entertheFullyQualifiedDomainName(FQDN)intheHostfield.
c.Enteranameforreferringtothedomain,e.g.'Finance','Salesnet',etc.
d.TheUsernameshouldbeassociatedwithpermissionstorunWMIqueriesonthedomaincontroller.Enterthatuser'sPassword
andclickOK.
e.ClickTesttoverifyconnectivitywiththedomaincontroller.
OntheFilterstab,specifytheIPAddressforanyclientPCsornetworksforwhichyoudon'twantthe
DCAgenttocaptureandsendlogininformationtoyourBarracudaNetworksproducts.Theseare
exceptionsandassociatedlogineventswillbeignoredbytheDCAgent.
OnAppliancestabaddtheinternalIPAddressandaDescriptionforeachBarracudaNetworksWeb
FilterwhichyouwanttousetheDCAgentfor.
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 3/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos
OntheSettingstabaddtheApplianceListeningPortIfrequired,youcanchangetheTCPlistening
port.MakesurethatyoualsospecifythesameportonallconfiguredBarracudaNetworksproducts.
Defaultisport5049.
f.ChecktheservicescurrentlyrunningonyourDomainControlleritselfandmakesuretheBarracudaDCAgentissetto
Automaticandturnedon.
ListeningforLogonEvents
InorderfortheDCAgenttopickuptheusernamesweneedalldomaincontrollerstoenablelogonevent.
WindowsServer2003configuration
1.OpenDomainControllerSecurityPolicyunderStart>Programs>AdministrativeTools.BesuretoopenDomain
ControllerSecurityPolicyandnotDomainSecurityPolicy,astheDomainControllerSecurityPolicytakesprecedenceover
anyDomainSecurityPolicythatmaybeconfigured(foreachdomaincontrollerspecifically).
2.ClickonLocalPolicies,andthenAuditPolicy.
3.MakesurebothAuditaccountlogoneventsandAuditlogoneventshaveSuccessinthePolicySettingcolumn.
4.Oncetheeventtrackingisturnedon,allnewlogoneventswilltriggerupdatestotheBarracuda.Sobepatientwiththeprocess
afteryouhaveturnediton.
WindowsServer2008configuration
1.NavigatetoStart>AdministrativeTools>LocalSecurityPolicy.
2.ClickonLocalPolicies>AuditPolicies.
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 4/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos
3.MakesurebothAuditaccountlogoneventsandAuditlogoneventshaveSuccessinthePolicySettingcolumn.
4.Oncetheeventtrackingisturnedon,allnewlogoneventswilltriggerupdatestotheBarracudaWebFilter.Itmaytaketimeto
starttrackingnewevents,pleasebepatient.
WindowsServer2012configuration
1.OpentheServerManager.
2.ClickTools>LocalSecurityPolicy.
3.MakesurebothAuditaccountlogoneventsandAuditlogoneventshaveSuccessintheSecuritySettingcolumn.
4.Oncetheeventtrackingisturnedon,allnewlogoneventswilltriggerupdatestotheBarracudaWebFilter.Itmaytaketimeto
starttrackingnewevents,pleasebepatient.
CheckingConnectionwithinstalledDCAgent
IftheDCAgenthasbeeninstalledandisrunningoneachrelevantdomaincontroller,youcanverifyitisworkingbygoingtothe
Advanced>TroubleshootingpageoftheWebFilter'sinterfaceandenteringtheIPaddressoftheDomainControlleryouare
testing,followedbyport5049,inthetelnetfield.Itshouldlooksomethinglike192.168.3.675049.Oncethishasbeenentered,click
theBeginTelnetbutton.IftheBarracudaisabletocommunicateproperlywiththedomaincontroller,youshouldseesomething
likethis:
$telnet192.168.3.675049
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 5/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos
Trying192.168.3.67...
Connectedto192.168.3.67.
Escapecharacteris'^]'.
Ifyoudonotseethe'Connectedto'message,theBarracudaWebFilterisnotabletocommunicatewiththespecifieddomain
controlleronthenecessaryport5049.
Onceconnectivitytoyourdomaincontrollershasbeenverified,checktomakesuretheDCAgentisproperlygeneratingnetwork
logonevents.YoucandothisbyloggingontoyourdomaincontrollersandnavigatingtoStart>Programs>AdministrativeTools
>EventViewer.ClickonSecurityFilter,andyoushouldseeSuccessAuditswithEventIDslike538and540(Windows2003),
and4624(Windows2008and2012).ThismeansthedomaincontrollerisgeneratingtheproperActiveDirectorylogonevents.
IfyouareonaWindows2012DomainController,andthe4624eventID'sarenotbeinggenerated,makesurethatLogon/Logoff
issetto"Success",thissettingisfoundintheWindowsAdvancedAuditPolicyConfiguration.
YouwillalsoneedtoconfiguretheBarracudaWebFiltertousetheDCagents.ThisisdoneontheUsers/Groups>Configuration
orUsers/Groups>AuthenticationpageundertheDCAgentConfigurationheading.AftersettingtheEnableSingleSignOn
optiontoYes,here'swhatyouneedtoenterforeachofyourdomaincontrollers:
IPAddressofDomainControllerIPaddressoftheprimarydomaincontroller(PDC).TheBarracuda
WebFilterneedstheIPaddressofthePDCtopolltheDCAgentforthelistofauthenticatedusers.
DCAgentListeningPortTheportusedbytheDCAgenttocommunicatewiththeSessionMonitoron
theBarracudaWebFilter.Therecommendedportnumberis5049.
SynchronizationIntervalThetimeinterval(inseconds)atwhichtheSessionMonitorpollstheDC
Agentforthelistofauthenticatedusers.Therecommendedvalueis15seconds.
Onceallofthisisfinished,yourBarracudaWebFiltershouldnowproperlyassociatewebbrowsingwithActiveDirectoryusers.If
youwouldliketoconfigurebrowsingrulesbasedontheActiveDirectoryidentityofthebrowsinguser,youmaydosoonthe
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 6/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos
Block/Accept>Exceptionspage.Todothis,firstcreatearule,andthenclicktheLookupbuttonatthetopofthelistof
exceptions.Anewwindowwillpopupand,iftheActiveDirectoryserverhasbeenconfiguredproperlyontheWebFilter,theActive
DirectoryUser/GroupsectionshouldlistyourActivedirectorygroupsandusers.YoumaythenselectthesetospecifywhichActive
Directoryusersaresubjecttoeachparticularexceptionyouconfigure.
AdditionalNotes
Insomecases,BarracudaDCAgentconfigurationchangesmaynotbeappliedtoarunningBarracudaDCAgentprocess.If(after
configuringeverythingabove)theBarracudaDCAgentisnotsyncingwiththeBarracudaWebFilter,tryrestartingtheBarracuda
DCAgentprocess.
AlsoitisnotalwaysnecessarytoupdatetheDCAgentversionwhenupdatingthefirmwareonthewebfilter,asnewfirmwaresare
backwardscompatiblewitholderDCAgents.PleasecontactBarracudaTechnicalSupportifauthenticationissuesoccurafter
firmwareupdate.
IfyouaregettingerrorBadbindDN,errorcode8,strongerauthenticationrequired,whileconfiguringyourLDAPauthentication
servicethatmeanthatyourDomainControllerdoesn'tsupportLDAP_Simple_Bindrequest.
YouneedtomodifytheDomainControllersecuritysettings:
1.ClickStart>Run>gpedit.msc
2.IntheGroupPolicyObjectEditor,selectthefollowing:ComputerConfiguration>WindowsSettings>SecuritySettings>
LocalPolicies>SecurityOptions
3.Inthissection,searchforthefollowingentries:
DomainController:LDAPServersigningrequirements.
Networksecurity:LDAPClientsigningrequirements
4.Toenablesimplebinds,settheaboveasfollows:
Domaincontroller:LDAPserversigningrequirements=None
Networksecurity:LDAPclientsigningrequirements=Negotiate
LinktoThisPage:
https://www.barracudanetworks.com/support/knowledgebase/50160000000H2Lx
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 7/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos
MAPA DEL SITIO RECURSOS NUESTROS SITIOS WEB CONTCTENOS PERMANEZCA CONECTADO
medioambientales LinkedIn
Sitemap CudaSign
HardwareWarranty C2CSystems Google+
PurchaseTerms
CorporateBlog
SupplyChain
Contctenos|Polticadeprivacidad|Trminosycondiciones|Careers|20032015BarracudaNetworks,Inc.Todoslosderechosreservados.
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 8/8