Directory Agents

The Directory Agent represents the directory server that Optinet will connect with to gain access to your directory structure. Optinet's Directory Agent Groups and Delegated Administration Roles use the groups, organization units (OU), and attributes from your directory server, synchronizing data to save you from having to recreate user groups on Optinet.

 

There are two types of directory agents:

 

 

Scenario - Multiple Directory Servers

If you have three directory servers (of the same directory agent type), and want all of them integrated with Optinet, you can create one Directory Agent, and add up to three directory servers (IP addresses).

 

Steps

  1. The Directory Server Agent is installed to each directory server, (Microsoft Active Directory Server or Novell eDirectory). All directory servers connected to Optinet must reside in the same domain. The directory servers are data redundant, and share the same data structure for users, groups, and attributes.
  2. The administrator logs into Optinet and adds one Directory Agent: Directory Server Agent, for Optinet to communicate with each Active Directory server.
  3. Optinet selects (randomly) one of the three server IP addresses to gain access to the directory structure. The connection remains open unless Optinet can no longer access the server, then it will try to connect to one of the other two servers available. This is a fail over function, so that Optinet can always access your directory server.

Example: In this Multi-Directory Server Scenario, servers 2 and 3 are replicates of directory server 1. If directory server 1 fails, then the system will randomly select one of the other servers you defined when adding the Directory Agent. In this case, the system selected Directory Server 3 to connect to. The connection stays open, allowing you to repair Directory Server 1, without disrupting business operations.

 

See also: Integrating Directory Servers

Directory Agent Setup Options

There are varying ways to integrate your directory servers with Optinet. Since the directory server already contains user groups, organizational units (OU), and attributes that can be utilized by Optinet, integrating with Optinet cuts down the amount of time you spend creating user groups (Directory Agent Groups) on the appliance.

 

While some organizations use Citrix servers, others do not. Just the same, you may have restricted business policies or requirements that prohibit your ability to download and distribute the Black Box Client Agent to all nodes across the network. Optinet uses two options to authenticate users, signing on to the network: Black Box Client Agent (cymdir.exe), and Web Authentication.

 

We recommend deploying the Black Box Client Agent to all network nodes associated with Optinet and the directory server. However, you can select from one of the option Web Authentication methods. The following scenarios describe how Optinet can authenticate user's logging in to their computers.

Scenario 1 - Directory Agent with Black Box Client Agent

Installing Directory Agent with the Black Box Client Agent is the preferred method for identifying user's logging to the system, which Directory Agent Group they belong to, while synchronizing with your directory structure: groups, organizational units (OU), and attributes. When a user logs in to their computer, the Black Box Client Agent executes, and Optinet queries the directory server to correspond network traffic with the user's directory server.

 

Considerations

This option allows immediate user identification when they log on to the network. More accurate application reporting is available, based on directory users. However, you can only set up this option if you are using Microsoft Active Directory Server or Novell eDirectory, and all network nodes are in the same domain as the directory server. There are no reports for individual users through Terminal Services or Citrix sessions.

 

 

Steps

  1. Install the Directory Server Agent on the directory server that you want to integrate with Optinet.
  2. Install the Black Box Client Agent to a network location, then create a Group Policy Object (or other script option), and push the client out to all nodes associated with Optinet.
  3. Log in to Optinet and create a Directory Agent, so that Optinet knows the directory server's IP address and password to access the directory structure.

Scenario 2 - Directory Agent with IP Lookup

For networks that do not want - or cannot due to company policies - deploy the Black Box Client Agent to nodes across the network, then you can use this method for identifying user's logging in to the network. Most likely, your network environment does not have a login process that is initiated when a user logs on to the network, or the login credentials are cached on the computer locally. Using this option allows you to set up Web Authentication through Internet Usage Rules to look up the IP address and username by searching your directory server.

 

Optinet identifies users when HTTP traffic is initiated . When Optinet receives a web request, the system tries to determine which Optinet Group the node belongs to. The system determines the Optinet Group and applies filtering and shaping rules. All Optinet Groups has an assigned Internet Usage Rule (IUR), which is also applied. Web Authentication is one of the set up features within the IUR, so if you want to use Web Authentication, you must set up the option in an IUR.

 

After the system applies the IUR assigned to the Optinet Group in which the user belongs, it then tries to determine if the user is authorized to access the Internet. The system queries the directory server to find the username from the web request. If the user is found, they are automatically assigned to a Directory Agent Group, and are no longer a member of a Optinet Group. If the user is not found, then the user's IP address (node) belongs to a Optinet Group.

 

This set up option does not require you to install the Black Box Client Agent to all nodes across the network. Web Authentication, IP Lookup, seamlessly identifies users without displaying an additional login page. However, users are not identified until Optinet receives the user's first HTTP traffic, which can affect application control and reporting for users.

 

Considerations

File and Print share rights must be enabled, and the primary DNS server must be set to the IP address of the directory server for computers to successfully communicate their login credentials with the directory server. All computers must belong to the same domain as the directory server, and use Microsoft Windows 2000 SP4 or later. Finally, you must create two groups: a Optinet Group (network nodes), a Directory Agent Group (users), and then assign the same Internet Usage Rule with Web Authentication - IP Lookup enabled, to both groups.

 

 

Steps

  1. Install the Directory Server Agent on the directory server that you want to integrate with Optinet.
  2. Log in to Optinet and create a Directory Agent, so that Optinet knows the directory server's IP address and password to access the directory structure.
  3. From Optinet, go to the Internet Usage Rule assigned to the Optinet Group, click Web Authentication and enter the settings on the page.
  4. A user logs in to a computer and sends a web request to Optinet. The system knows the IP address and username, and knows which Optinet Group the node belongs to (IURs apply to the group), but it needs to determine if the user belongs to a Directory Agent Group.
  5. Optinet sends a query to the directory server, searching for the username. If the username is found, then the user and all its network traffic belong to the Directory Agent Group in which it is a member.

Scenario 3 - Directory Agent with NTLM

Network environments that use Terminal Server and Citrix Server sessions, can set up Optinet to identify and filter individual users through network nodes or applications, using a single IP address for multiple users. Users logged on to the network, send web traffic to Optinet, acting as a proxy. This allows Optinet to identify users based on web sessions rather than an IP addresses, which is used by other directory methods. After you set up Directory Agent with NTLM, and the system can identify and filter users through Terminal Server or Citrix Server sessions. However, all application reporting and control are global for these users.You can control application and bandwidth traffic for the Terminal Services server or Citrix server, but you are not able to control application and bandwidth traffic for specific users.

Note: Citrix Servers have a feature called Virtual IPs (VIPs), which allows you to use install the Black Box Client Agent to all network nodes. If you use this feature, you can set up Optinet with Scenario 1 - Directory Agent with Black Box Client Agent.

Steps

  1. Install the Directory Server Agent on the directory server that you want to integrate with Optinet.
  2. Deploy proxy settings to user's web browsers.
  3. Log in to Optinet and create a Directory Agent, so that Optinet knows the directory server's IP address and password to access the directory structure.
  4. From Optinet, go to the Internet Usage Rule assigned to the Optinet Group, click Web Authentication and enter the settings on the page.
  5. Users log in to a terminal and send a web request to Optinet, acting as proxy. Optinet can then identify users based on web sessions instead of IP addresses.
  6. Create a Optinet Group that includes Terminal Services servers and Citrix servers, and then create a Directory Agent Group that includes the directory users from their integrated directory server. Assign both groups the same Internet Usage Rule, enable Web Authentication, and then select Web Authentication - NTLM.

Scenario 4 - Directory Agent with Login Page

If Scenario 2 - Directory Agent with IP Lookup or Scenario 3 - Directory Agent with NTLM fail to identify users, or the users have directory accounts but their nodes are not members of the domain, then you can use this method of user authentication. When users log in to the network, the Optinet sends a login page for users to enter their username and password. After the system verifies the user's credentials, all filtering and shaping rules for the group the user or network node belong to, are enforced.

 

The advantage of setting up Optinet to authenticate users with this method, is that you can confirm directory users regardless of the network node they are using. User's can access the network, using Microsoft computers,Macintosh computers, Linux computers, or hand help PDA's. However, depending on your network environment, user's may have to log on to their computer to gain access to the network, and then log in again to gain access to the Internet. The user must also have a log in established in the directory server, so that it can authenticate successfully.

Note: You can create a local Optinet login specific for this feature. However, if you are attempting to use this feature for guest users, we recommend that you create a guest account on your directory server, then provide guest users with the credentials, or modify the login page to display the information for the user.

 

 

Steps

  1. Install the Directory Server Agent on the directory server that you want to integrate with Optinet.
  2. Deploy proxy settings to user's web browsers.
  3. Log in to Optinet and create a Directory Agent, so that Optinet knows the directory server's IP address and password to access the directory structure.
  4. From Optinet, go to the Internet Usage Rule assigned to the Optinet Group, click Web Authentication and enter the settings on the page.
  5. Users log in to a terminal and send a web request to Optinet, acting as proxy. Optinet can then identify users based on web sessions instead of IP addresses.

Note: From Optinet, select Admin > Custom Response Pages > Directory Agent Login Page to edit the login page that appears to users when Web Authentication is enabled.

  1. Create a Optinet Group that includes Terminal Services servers and Citrix servers, and then create a Directory Agent Group that includes the directory users from their integrated directory server. Assign both groups the same Internet Usage Rule, enable Web Authentication, and then select Web Authentication - NTLM.

Creating Directory Agents

Optinet uses the Directory Agent as a reference point to know which directory server to access. Optinet must be able to connect to the directory server's IP address on the network. If you integrating a Microsoft Active Directory or Novell eDirectory server, you must install the Directory Server Agent from Optinet first, before creating a Directory Agent. See Integrating Directory Servers.

 

Requirements

 

You following fields are required information about your directory server or LDAP connection, that you must have before you can create Directory Agents.

 

To add a directory agent

  1. Install the Directory Server Agent to your directory servers.
  2. From Optinet, select Manage > Directory Users & Nodes > Directory Agent.
  3. Click Create.
  4. Select which type of Directory Agent you want to create:

Note: If you are using an LDAP server that is not listed; or, you have mapped your directory server with custom tagging, contact Black Box Technical Support to get help mapping Optinet, so that it will integrate with your directory server.

  1. (Required) Enter the Name of the Directory Agent.

Use to identify which server the Directory Agent Client was installed on. The name you enter will appear in the Directory Agent drop-down list of the User Interface, when you select a directory server to find members from the structure to add to the Directory Agent Group.

Tip: We recommend using your domain name.

  1. Enter a Description to identify the Directory Agent Server.
  1. (Required) Entered an IP Address for the directory server you want to integrate.

Optinet must have access to communicate with the directory server's IP address on the network.

  1. By default, the Port number is 389.

You can change this value if your LDAP server uses a different port to communicate.

  1. (Required) Enter a Password to access the directory server.
  2. Click Query Server to find out the domain name for the IP address you entered under Domain Settings for the Base DN.

Note: The Query Server button tests the connection between Optinet and the directory server you are integrating. If you do not know the domain and leave the Base DN field blank, then Optinet queries the directory server to find the domain name.This is for informational purposes only. Even if you do not enter any Base DN value or click Query Server, you can still click Save. Optinet automatically finds the domain name when you click Save.

  1. Click Save.