Configuring LDAP Settings

If you want to use LDAP user/group names for authentication and policy configuration purposes, you must set IWSVA’s user identification feature to use your corporate LDAP server.

• If you want to apply the Guest Policy for those network users who are not in your LDAP directory, enable the guest account in the Authentication Method section. For more information about enabling the guest account see Enabling the Guest Account.

To configure IWSVA to use the user/group name authentication method:

1. Select Administration > IWSVA Configuration > User Identification | User Identification tab from the main menu.

2. Enter the Domain, Service Account, and Password of the LDAP server and click Test Connection to validate the LDAP connection.

3. Under the User/group Authentication Settings section in the LDAP Settings section, click the Server Type drop-down list and choose the type of LDAP server on your network.

4. Click Save to preserve your settings.

5. If you have multiple LDAP domains or multiple LDAP server types, choose Advanced (other or multiple LDAP servers).

6. Enter the LDAP Domain Name.

7. When the LDAP server is a Microsoft Active Directory, "Auto Detect" will be available to detect and automatically fill the domain settings. Enter the “Admin account” and Password for a credential with at least read authority to the LDAP server. If the domain is us.example.com:

• For Microsoft Active Directory, use the UserPrincipalName for the admin account, for example, NT_Logon_ID@us.example.com.

• For OpenLDAP and the Sun Java System Directory Server 5.2, enter the Distinguished Name (DN) for the admin account (for example, uid=LOGON_ID,ou=People,dc=us,dc=example,dc=com).

8. When the LDAP server is a Microsoft Active Directory, configure LDAP encryption:

• If you do not want to use the LDAP encryption, select None for LDAP Encryption.

• If you want to use the LDAP encryption, select LDAPv3 StartTLS extension or LDAP over SSL for LDAP Encryption.

8. Enter the Listening port number used by the LDAP server that you have chosen (default = 389). If your network has multiple Active Directory servers and you have enabled the Global Catalog (GC) port, change the listening port to 3268.

9. If you enable the Global Catalog in Active Directory, you might need to configure your firewall to allow communication through port 3268.

9. Enter the LDAP server's hostname using the Fully Qualified Domain Name (FQDN).

10. Enter the Base distinguished name to specify from which level of the directory tree you want IWSVA to begin LDAP searches.

The base DN is derived from the company's DNS domain components; for example, LDAP server us.example.com would be entered as DC=example, DC=com.

If you are using Active Directory servers with the Global Catalog (GC) port enabled, use the root domain of the Global Catalog-enabled Active Directory; for example, use dc=example,dc=com.

11. Select the LDAP authentication method to use—either Simple, Digest-MD5, or Kerberos.

Additionally, configure the following parameters to use Advanced authentication:

• Default Realm

• Default Domain

• KDC and Admin Server: The hostname of the Kerberos key distribution server. If you are using Active Directory, this is typically the same host name as your Active Directory server.

• KDC port number: Default port = 88

When using NTLM to authenticate with KDC(s) on a different forest through Internet Explorer or using IWSVA to do referral chasing with Active Directory, Trend Micro recommends enabling “Use HTTP 1.1 through proxy connections.” This setting can be found on the Internet Explorer Tools menu > Internet Options > Advanced tab. Enabling this setting prevents Internet Explorer from cutting off the “Keep-Alive connection” setting. Note that using NTLM is only supported with Microsoft Active Directory.

12. Configure the Approved LDAP Authentication List to exempt hosts from the LDAP authentication process.

For example, if you have an application server that access the Internet and you want to permit its access without requiring the server to authenticate, you can include the server’s IP address in the approved LDAP authentication list.

IWSVA will only apply IP address-based policy settings and bypass user/group name checking.

IWSVA supports LDAP queries from IPv6 with similar behavior to that of IPv4. The approved LDAP client list supports IPv6 addresses similar to that of IPv4 as well. The LDAP Authentication request dialog box supports IPv4 and IPv6 with port 9090, and IWSVA can automatically redirect the authentication dialog box to IWSVA’s IPv4 or IPv6 address to a client based on the client’s IP address version.

• When the client uses an IPv4 address, IWSVA should send the redirect request with IWSVA’s IPv4 address.

• When the client uses an IPv6 address, IWSVA should send the redirect request with IWSVA’s IPv6 address.

13. To verify the information has been entered correctly and IWSVA can communicate with the LDAP servers that you configured, click Test LDAP Connection on the User Identification page.

A message appears, indicating that you have successfully contacted the LDAP server.

14. Click Save.