How do I enable Active Directory settings in Websense Manager – Websense

What settings and configuration changes are necessary to enable Websense to recognize Active Directory as my directory service?

Error Messages: (Detailed)

Error: Unable to Add Directory Objects   (when trying to add users or groups in the Websense Manager)

LDAP simple bind error, invalid credentials   (seen in the Event Viewer Application Log)

LDAP simple bind error, unable to connect to server

An error occurred while binding to the directory server. ldap_simple_bind: Can't contact LDAP server [<server_name>, 3268, <FQDN>]    (seen in the Event Viewer Application Log)

Resolution:

 

Configuring Active Directory Native Mode

If your network is in Interim Mode, where you are migrating controllers from Windows NT to Windows 200x, and you still have NT domain controllers, do not configure Websense software for Active Directory. See the Notes in the Important Information box (to the right) for further details.

If you are using Active Directory in Mixed Mode, you should configure Websense software to use Windows NT Directory Service. Mixed Mode means that your Directory Service is configured to allow use of Windows NT domain controllers. Mixed Mode is the default Directory Service setting for Websense.

NOTEYou can still be in Mixed Mode with no Windows NT domain controllers on your network. In this case, you can safely configure Websense software as though you were in Native Mode. Look at your domain controller’s settings to verify your operating mode.

If you are using Active Directory in Native Mode, please follow the steps below to ensure you have configured Websense properly.

To configure Websense software to interact with Active Directory Native Mode, use Websense Manager to enter important communications settings. To configure Websense to communicate with the Global Catalog Server:

  1. In Websense Manager, go to Server > Settings.
  2. Select Directory Service in the left navigation pane.
  3. Select Active Directory (Native Mode).
  4. Click Add. The Add Domain Forest dialog box opens.
  5. Enter the IP address of the Global Catalog Server machine.
  6. Enter the Global Catalog Server port (by default, 3268).
  7. To complete the Root Context field:
    • In a single domain network, leave the Root Context field blank.
    • In a multiple domain network, one Global Catalog Server from each domain must be listed in the Domain Forest box. You must also add a Root Context, specific to each Global Catalog Server, to differentiate between parent and child domains. For further details, see Consider the Active Directory Tree below.
  8. Under Administrative Account, select Full Distinguished Name. 
    NOTEIf you want to use the Distinguished name by components option, refer to the Administrator’s Guide for your Websense software version.
    1. Remove the default contents of the User DN box.
    2. Enter a User DN similar to the following examples. 
      SyntaxExample
      UserID@domain.comadministrator@websense.com
      – or –
      domain\UserIDwebsense\administrator
    3. Enter the password.

      If you enter an incorrect user ID or password, you will receive an error when you try to add a user or group directory object within the Websense Manager.

  9. Click OK twice.
  10. Click Save Changes to keep the new configuration.

Now you should be properly configured to add directory service entries (users, groups, domains, and organizational units) as clients in Websense Manager. Websense software is now also able to identify which users pertain to which group clients, in order to apply the correct group policy.

NOTEIf using Websense DC Agent, ensure that the DC Agent service is logging on as a domain administrator account.

Consider the Active Directory Tree

The Active Directory tree structure uses a parent/child structure. For example, there may be a parent domain called websense.com, and a child domain called marketing.websense.com. If you want to apply Websense policies to a group in a child domain, you need to perform a few additional steps.

Due to Microsoft security policy settings, group membership information for a Domain Local Group or Global Group from a child domain is not stored on a Global Catalog Server which resides in the parent domain. If Websense is configured to only connect to one Global Catalog Server (port 3268) in the parent domain, then filtering by Domain Local Group or Global Group from a child domain will not occur.

Two workarounds are available:

  1. If you do not want to change Active Directory settings, add the child domain’s domain controller to Websense Manager.
    1. In Websense Manager, go to Server > Settings.
    2. Select Directory Service in the left navigation pane.
    3. Select Active Directory (Native Mode).
    4. Click Add. The Add Domain Forest dialog box opens.
    5. In the first field, enter the IP address of the child domain’s Global Catalog Server.
    6. Change the port number from 3268 to 389 for each child domain.
    7. Enter the Root Context, using the following format (but with your own domain names):
         dc=marketing,dc=Websense,dc=com
    8. Enter a domain Administrative Account for the child domain. See Configure Interaction with Active Directory (above) for syntax details.
    9. Click OK twice.
    10. Click Save Changes to keep the new configuration settings. 

      Filter by Domain Local Group and Global Group are now functioning. For detailed information about Domain Local Group, Global Group, and Universal Group, please refer to Microsoft Knowledge Base Article 309172.

  2. Change your Active Directory settings by adding users to a Universal Group, and assign a Websense filtering policy to this Universal Group. (You MUST be in Native Mode to use this option.) The advantage of using Universal Groups is that group membership information for all Universal Groups in the Active Directory forest is stored on all Global Catalog Servers for that forest. Thus it is irrelevant where each Universal Group is located or in which domain it resides.

 

After You Integrate Microsoft Exchange Server with Active Directory

Websense allows you to use a domain user account to query your Active Directory domain controller. However, after integrating Microsoft Exchange Server with Active Directory, the domain user privilege is not enough to retrieve the user/group relationship from the Active Directory domain controller. The workaround is to use a domain administrator account to query domain controllers. To learn more about this change, please refer to Microsoft Knowledge Base Article – 253827.

, , , , , , , , , , , , , , , , ,

Websense



Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Categories

Recent Posts