MSS FW Best Practices: Users and Groups
12/11/2024 0 People found this article helpful 9,174 Views
Description
CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration.
MSS Recomended SonicWall Firewall Best Practices Index
LDAP/LDAPs Integration
Setup/Configuration
- To setup LDAP/LDAPs integration, see the following SonicWall KB article: LDAP/LDAPs Integration for SonicWall Firewall | SonicWall.
- Always leave the Default LDAP User Group as None
- It is recommended that you create a service account for the SonicWall’s authentication to your Active Directory.
- This account does NOT need admin privileges. A normal AD User is preferred.
- Use LDAPS whenever possible. Microsoft will be discontinuing support for LDAP (389) in the future so using LDAPs will ensure your AD integration doesn’t stop working when Microsoft flips the switch.
- Microsoft guide to setting up LDAPs:
https://docs.microsoft.com/en-us/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server
- Microsoft guide to setting up LDAPs certificate:
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
- If you have setup LDAP integration, ensure that if creating local users, they DO NOT match the name of an Active Directory user.
- When importing users from AD, be sure that you change the “Handling of the imported users' domains:” option to No domains (imported user objects will match the named users in any domain).
- DO NOT use the “Include the domains” option or you will need to include your domain as part of the username when logging in with an AD account. LDAP integration will allow you to use Active Directory users for things like; VPN (Remote Access) login, applying CFS policies to AD users and/or groups, etc.
- DO NOT CHECK Select Require valid certificate from the server when using TLS.
SSO Configuration
Setting up SSO allows the firewall so see PC names as well as query the logged-on users instead of just the PC’s IP address.
Setup/Configuration
- To setup SSO, see the following SonicWall KB article: Setting Up SSO on SonicWall Firewall | SonicWall.
- The account used during the Directory Services Connector installation MUST be a domain administrator.
- This account is only used by the agent to start the windows service.
- Ensure you Check Enable SSO agent authentication.
- Check Don't block user traffic while waiting for SSO.
- The Windows Firewall MUST be DISABLED on all servers and PCs in the environment or the SSO agent will NOT be able to successfully query the workstations.
- Non windows IPs should be excluded from SSO as SSO won’t be able to query logged on users (because there isn’t one): How to Exclude IP Addresses from SSO Agent | SonicWall.
Related Articles
Categories
Was This Article Helpful?
YESNO