21/4/2015 BarracudaNetworksBasededatosdeconocimientos

+14083425400/8882684772 Iniciodesesindeclientes Portaldesocios Espaol

PRODUCTOS SOLUTIONS COMPRAR SOPORTE PARTNERS EMPRESA FORMACIN Y EVENTOS

Soporte
Red de soporte global de expertos. A su servicio.
Necesita ayuda?
Realizarchatconunrepresentanteahora.

Visingeneral Basedeconocimientos CommunityForum BarracudaUniversidad Documentation

VOLVERALABASEDECONOCIMIENTOS

How do I configure Active Directory integration with the DC Agent on my Barracuda Web
Filter?
Solution#00002865

Scope:
AllBarracudaWebFilters,allfirmwareversions,allnetworksrunningWindows2003domaincontrollersand2003ActiveDirectoryshoulduse

version6.0.0.32.WhileDCAgentversions2.14to6.0alsosupportWindows2008domaincontrollers4.6fixedmemoryleakissuesandshouldnow

updatetothelatestavailableversionfromtheUIdownloadlink,DCAgentversions6.0andabovealsosupportWindows2012andshouldbe

updatedasneeded.Importantnote:Coreversionsarenotsupported.6.0agentsandupnowalsoneedActiveDirectorybindaccountinformation

configuredaswellastheWebFilter'sIPaddressconfiguredunderthe"Appliances"tab,locatedwithinDCAgentprogram.IfyourWebFilteronly

supportsupto4.5.xversionofWebFilterfirmwareyouwillneedtocontactsupport,sincethelastavailableversionisv4.3DCAgentonthe4.5Web

Filterfirmware.

Linkto6.0.0.032Agent:https://www.copy.com/s/C2gvFWqZnKUd/

Answer:

WhiletheBarracudaWebFiltercanbeintegratedwithanyLDAPorActiveDirectoryservers,theDCAgentmayonlybeusedwith
2003,2008,and2012versionsofActiveDirectory.TheDCAgentmustbeinstalledontoeachofyourdomaincontrollersthatwill
seeanylogineventfromyourusersinordertofunctionproperly.

!!IMPORTANT!!

Ifyouhaveonlyonedomain(ex.abc.com)youonlyneedoneauthenticationservicewhichusuallyistheprimarydomaincontroller
towhichyougiveanaliasduringsetupprocess.AlldomaincontrollersonnetworkmusthaveDCAgentinstalled,andbelinkedto
thatserveralias.
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 1/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos

Ifyouhavemultipledomains(ex.abc.comandxyz.com),eachdomainmustbelistedinauthenticationservicewithadifferentalias
foreachdomain,inthissetupyoualsojustneedeachdomain'sprimarydomaincontrollertobelistedasauthenticationserverfor
correspondingdomain(alias).AllinstalledDCAgentsmustbelinkedtothecorrespondingserveralias.

Inmultipledomainscenarioyouhaveanoptionto"AggregateActiveDirectoryDomains"whensettoYesthiswilllookatboth
domainsasiftheywereoneandthesamedomain.Thisisusefulincreatingexceptionswhenyouhavethesameuserthatbelongs
tobothdomains(ex.joe@abc.comandjoe@xyz.com),thenyoucancreateanexceptionusingthefirstserveraliasinthe
authenticationlist,andexceptionwillapplytouserinbothdomains.

IfyouselectNoto"AggregateActiveDirectoryDomains"eachdomainwillbetreatedseparately,andexceptionswillneedtobe
createdonperdomainbasis.

InstallingtheDCAgentonyournetworkwillallowtheBarracudaWebFiltertoassociateoutgoingwebrequestswithActive
Directoryusers,logtheiractivity,andapplyuserspecificorgroupspecificpoliciestooutgoingconnectionswithoutrequiringusers
tologintotheBarracudaWebFilter.

First,youwillneedtoconfiguretheBarracudaWebFiltertoworkwithyourActiveDirectoryserverontheUsers/Groups>
AuthenticationServicesorUsers/Groups>Authenticationpage.YouwillneedoneauthenticationserviceforeachActive
Directorydomain.ThispageletsyouspecifythelocationofyourLDAPserversoyourBarracudaWebFiltercan:

AuthenticateusersusingLDAP

AuthenticateusergroupmembershipusingLDAP

AllowyoutoassignexceptionpoliciestoLDAPusers.

NavigatetotheUsers/Groups>AuthenticationServicesorUsers/Groups>Authenticationpage,selecttheLDAPtab,andfill
outalloftheneededinformation:

LDAPServerTheIPaddressofyourLDAPorActiveDirectoryserver.

LDAPPortTheportusedbyyourLDAPorActiveDirectoryserver.Thedefaultisport389.

LDAPSearchBaseThebasedistinguishedname(DN)forthedirectory.Forexample,ifyourdomainis
https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 2/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos

test.com,yourbaseDNmightbedc=test,dc=com.

BindDNThedistinguishedname(DN)ofauserinyourLDAPdirectorythathasreadaccesstoallthe
usersinLDAP.TheBarracudaWebFilterusesthedistinguishednametolookupusersintheLDAP
databasesotheuserscanbeassignedtoexceptionpoliciesanddisplayedontheUsers/Groups>
AccountsViewpage.

BindPasswordThepasswordfortheuseryouspecifiedintheBindDNfield.

UIDAttributeTheattributethatcontainstheuser'sID.ForActiveDirectory,itisrecommendedthatyou
usesAMAccountName.ForOpenLDAP,itisrecommendedthatyouuseuid.

Getting and Installing the Barracuda DC Agent

TheBarracudaDCAgent7.1.xandhigherdoesnotsupportWindowsServer2003.IfyouarerunningWindowsServer2003,please
contactBarracudaTechnicalSupport.Otherwise,downloadtheBarracudaDCAgentfromtheUSERS/GROUPS>Authentication
pageoftheBarracudaWebFilterwebinterface.

DCAgent6.xand7.1.x

!!DCAgent5.0andbelow,pleasecontactBarracudaNetworksTechnicalSupport

Launchtheinstallationfile(DCAgent.exe)andfollowtheinstructionsinthewizard.

AftertheBarracudaDCAgentisinstalledandrunningcorrectly,launchtheapplicationandcompletethefollowingsteps.

Note:YourentriesintheDCAgentinterfacewillNOTbesaveduntilyouclicktheSavebutton.

1. DefinelocationandlogincredentialsforyourActiveDirectory.ClicktheActiveDirectoriestabandclickthegreen+signto
addadomain.

a.SelectLocalifyouinstalledtheDCAgentontheDomainControllerselectRemoteifyouinstalledonanothermachineon
thenetwork.

b.IfyouselectedRemote,entertheFullyQualifiedDomainName(FQDN)intheHostfield.

c.Enteranameforreferringtothedomain,e.g.'Finance','Salesnet',etc.

d.TheUsernameshouldbeassociatedwithpermissionstorunWMIqueriesonthedomaincontroller.Enterthatuser'sPassword
andclickOK.

e.ClickTesttoverifyconnectivitywiththedomaincontroller.

OntheFilterstab,specifytheIPAddressforanyclientPCsornetworksforwhichyoudon'twantthe
DCAgenttocaptureandsendlogininformationtoyourBarracudaNetworksproducts.Theseare
exceptionsandassociatedlogineventswillbeignoredbytheDCAgent.

OnAppliancestabaddtheinternalIPAddressandaDescriptionforeachBarracudaNetworksWeb
FilterwhichyouwanttousetheDCAgentfor.

https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 3/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos

OntheSettingstabaddtheApplianceListeningPortIfrequired,youcanchangetheTCPlistening
port.MakesurethatyoualsospecifythesameportonallconfiguredBarracudaNetworksproducts.
Defaultisport5049.

f.ChecktheservicescurrentlyrunningonyourDomainControlleritselfandmakesuretheBarracudaDCAgentissetto
Automaticandturnedon.

ListeningforLogonEvents

InorderfortheDCAgenttopickuptheusernamesweneedalldomaincontrollerstoenablelogonevent.

WindowsServer2003configuration

1.OpenDomainControllerSecurityPolicyunderStart>Programs>AdministrativeTools.BesuretoopenDomain
ControllerSecurityPolicyandnotDomainSecurityPolicy,astheDomainControllerSecurityPolicytakesprecedenceover
anyDomainSecurityPolicythatmaybeconfigured(foreachdomaincontrollerspecifically).

2.ClickonLocalPolicies,andthenAuditPolicy.

3.MakesurebothAuditaccountlogoneventsandAuditlogoneventshaveSuccessinthePolicySettingcolumn.

4.Oncetheeventtrackingisturnedon,allnewlogoneventswilltriggerupdatestotheBarracuda.Sobepatientwiththeprocess
afteryouhaveturnediton.

WindowsServer2008configuration

1.NavigatetoStart>AdministrativeTools>LocalSecurityPolicy.

2.ClickonLocalPolicies>AuditPolicies.

https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 4/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos

3.MakesurebothAuditaccountlogoneventsandAuditlogoneventshaveSuccessinthePolicySettingcolumn.

4.Oncetheeventtrackingisturnedon,allnewlogoneventswilltriggerupdatestotheBarracudaWebFilter.Itmaytaketimeto
starttrackingnewevents,pleasebepatient.

WindowsServer2012configuration

1.OpentheServerManager.

2.ClickTools>LocalSecurityPolicy.

3.MakesurebothAuditaccountlogoneventsandAuditlogoneventshaveSuccessintheSecuritySettingcolumn.

4.Oncetheeventtrackingisturnedon,allnewlogoneventswilltriggerupdatestotheBarracudaWebFilter.Itmaytaketimeto
starttrackingnewevents,pleasebepatient.

CheckingConnectionwithinstalledDCAgent

IftheDCAgenthasbeeninstalledandisrunningoneachrelevantdomaincontroller,youcanverifyitisworkingbygoingtothe
Advanced>TroubleshootingpageoftheWebFilter'sinterfaceandenteringtheIPaddressoftheDomainControlleryouare
testing,followedbyport5049,inthetelnetfield.Itshouldlooksomethinglike192.168.3.675049.Oncethishasbeenentered,click
theBeginTelnetbutton.IftheBarracudaisabletocommunicateproperlywiththedomaincontroller,youshouldseesomething
likethis:

$telnet192.168.3.675049

https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 5/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos

Trying192.168.3.67...

Connectedto192.168.3.67.

Escapecharacteris'^]'.

Ifyoudonotseethe'Connectedto'message,theBarracudaWebFilterisnotabletocommunicatewiththespecifieddomain
controlleronthenecessaryport5049.

Onceconnectivitytoyourdomaincontrollershasbeenverified,checktomakesuretheDCAgentisproperlygeneratingnetwork
logonevents.YoucandothisbyloggingontoyourdomaincontrollersandnavigatingtoStart>Programs>AdministrativeTools
>EventViewer.ClickonSecurityFilter,andyoushouldseeSuccessAuditswithEventIDslike538and540(Windows2003),
and4624(Windows2008and2012).ThismeansthedomaincontrollerisgeneratingtheproperActiveDirectorylogonevents.

IfyouareonaWindows2012DomainController,andthe4624eventID'sarenotbeinggenerated,makesurethatLogon/Logoff
issetto"Success",thissettingisfoundintheWindowsAdvancedAuditPolicyConfiguration.

YouwillalsoneedtoconfiguretheBarracudaWebFiltertousetheDCagents.ThisisdoneontheUsers/Groups>Configuration
orUsers/Groups>AuthenticationpageundertheDCAgentConfigurationheading.AftersettingtheEnableSingleSignOn
optiontoYes,here'swhatyouneedtoenterforeachofyourdomaincontrollers:

IPAddressofDomainControllerIPaddressoftheprimarydomaincontroller(PDC).TheBarracuda
WebFilterneedstheIPaddressofthePDCtopolltheDCAgentforthelistofauthenticatedusers.

DCAgentListeningPortTheportusedbytheDCAgenttocommunicatewiththeSessionMonitoron
theBarracudaWebFilter.Therecommendedportnumberis5049.

SynchronizationIntervalThetimeinterval(inseconds)atwhichtheSessionMonitorpollstheDC
Agentforthelistofauthenticatedusers.Therecommendedvalueis15seconds.

Onceallofthisisfinished,yourBarracudaWebFiltershouldnowproperlyassociatewebbrowsingwithActiveDirectoryusers.If
youwouldliketoconfigurebrowsingrulesbasedontheActiveDirectoryidentityofthebrowsinguser,youmaydosoonthe

https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 6/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos

Block/Accept>Exceptionspage.Todothis,firstcreatearule,andthenclicktheLookupbuttonatthetopofthelistof
exceptions.Anewwindowwillpopupand,iftheActiveDirectoryserverhasbeenconfiguredproperlyontheWebFilter,theActive
DirectoryUser/GroupsectionshouldlistyourActivedirectorygroupsandusers.YoumaythenselectthesetospecifywhichActive
Directoryusersaresubjecttoeachparticularexceptionyouconfigure.

AdditionalNotes

Insomecases,BarracudaDCAgentconfigurationchangesmaynotbeappliedtoarunningBarracudaDCAgentprocess.If(after
configuringeverythingabove)theBarracudaDCAgentisnotsyncingwiththeBarracudaWebFilter,tryrestartingtheBarracuda
DCAgentprocess.

AlsoitisnotalwaysnecessarytoupdatetheDCAgentversionwhenupdatingthefirmwareonthewebfilter,asnewfirmwaresare
backwardscompatiblewitholderDCAgents.PleasecontactBarracudaTechnicalSupportifauthenticationissuesoccurafter
firmwareupdate.

IfyouaregettingerrorBadbindDN,errorcode8,strongerauthenticationrequired,whileconfiguringyourLDAPauthentication
servicethatmeanthatyourDomainControllerdoesn'tsupportLDAP_Simple_Bindrequest.
YouneedtomodifytheDomainControllersecuritysettings:
1.ClickStart>Run>gpedit.msc
2.IntheGroupPolicyObjectEditor,selectthefollowing:ComputerConfiguration>WindowsSettings>SecuritySettings>
LocalPolicies>SecurityOptions
3.Inthissection,searchforthefollowingentries:
DomainController:LDAPServersigningrequirements.
Networksecurity:LDAPClientsigningrequirements
4.Toenablesimplebinds,settheaboveasfollows:
Domaincontroller:LDAPserversigningrequirements=None
Networksecurity:LDAPclientsigningrequirements=Negotiate

LinktoThisPage:
https://www.barracudanetworks.com/support/knowledgebase/50160000000H2Lx

https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 7/8
21/4/2015 BarracudaNetworksBasededatosdeconocimientos

MAPA DEL SITIO RECURSOS NUESTROS SITIOS WEB CONTCTENOS PERMANEZCA CONECTADO

Productos Iniciodesesindeclientes BarracudaNetworks Telfono:+14083425400/8882684772 FOLLOWUS

Solutions Portaldesocios BarracudaCentral

Facebook
Comprar BarracudaUniversity BarracudaWare General:info@barracuda.com

Soporte Forodelacomunidad BarracudaLabs Ventas:sales@barracuda.com Twitter

Partners Conformidadcomercial CudaEye Soporte:support@barracuda.com

YouTube
Empresa Conformidadconlasnormativas Copy verms

medioambientales LinkedIn
Sitemap CudaSign
HardwareWarranty C2CSystems Google+
PurchaseTerms
CorporateBlog
SupplyChain

Contctenos|Polticadeprivacidad|Trminosycondiciones|Careers|20032015BarracudaNetworks,Inc.Todoslosderechosreservados.

https://www.barracuda.com/support/knowledgebase/50160000000H2LxAAK 8/8