Deploy User-ID for Numerous Mapping Information Sources
You can use Windows Log Forwarding and Global Catalog servers to simplify user mapping and group mapping in a large-scale network of Microsoft Active Directory (AD) domain controllers or Exchange servers. These methods simplify User-ID administration by aggregating the mapping information before the User-ID agents collect it, thereby reducing the number of required agents.
Windows Log Forwarding and Global Catalog Servers
Because each User-ID agent can monitor up to 100 servers, the firewall needs multiple User-ID agents to monitor a network with hundreds of AD domain controllers or Exchange servers. Creating and managing numerous User-ID agents involves considerable administrative overhead, especially in expanding networks where tracking new domain controllers is difficult. Windows Log Forwarding enables you to minimize the administrative overhead by reducing the number of servers to monitor and thereby reducing the number of User-ID agents to manage. When you configure Windows Log Forwarding, multiple domain controllers export their login events to a single domain member from which a User-ID agent collects the user mapping information.
You can configure Windows Log Forwarding for Windows Server versions 2003, 2008, 2008 R2, 2012, and 2012 R2. Windows Log Forwarding is not available for non-Microsoft servers.
To collect group mapping information in a large-scale network, you can configure the firewall to query a Global Catalog server that receives account information from the domain controllers.
The following figure illustrates user mapping and group mapping for a large-scale network in which the firewall uses a Windows-based User-ID agent. See Plan a Large-Scale User-ID Deployment to determine if this deployment suits your network.
Plan a Large-Scale User-ID Deployment
When deciding whether to use Windows Log Forwarding and Global Catalog servers for your User-ID implementation, consult your system administrator to determine:
Bandwidth required for domain controllers to forward login events to member servers. The bandwidth is a multiple of the login rate (number of logins per minute) of the domain controllers and the byte size of each login event.
Note that domain controllers won’t forward their entire security logs; they forward only the events that the user mapping process requires per login: three events for Windows Server 2003 or four events for Windows Server 2008/2012 and MS Exchange.
Whether the following network elements support the required bandwidth: Domain controllers—Must support the processing load associated with forwarding the events. Member Servers—Must support the processing load associated with receiving the events. Connections—The geographic distribution (local or remote) of the domain controllers, member servers, and Global Catalog servers is a factor. Generally, a remote distribution supports less bandwidth.
Configure Windows Log Forwarding
To configure Windows Log Forwarding, you need administrative privileges for configuring group policies on Windows servers. Configure Windows Log Forwarding on all the Windows Event Collectors —the member servers that collect login events from domain controllers. The following is an overview of the tasks; consult your Windows Server documentation for the specific steps.
Configure Windows Log Forwarding
On each Windows Event Collector, enable event collection, add the domain controllers as event sources, and configure the event collection query (subscription). The events you specify in the subscription vary by domain controller platform: Windows Server 2003 —The event IDs for the required events are 672 (Authentication Ticket Granted), 673 (Service Ticket Granted), and 674 (Ticket Granted Renewed). Windows Server 2008/2012 (including R2) or MS Exchange —The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success). To forward events as quickly as possible, Minimize Latency when configuring the subscription. User-ID agents monitor the Security log, not the default forwarded events location, on Windows Event Collectors. Therefore, perform the following steps on each Windows Event Collector to change the event logging path to the Security log. Open the Event Viewer. Right-click the Security log and select Properties. Copy the Log path (default %SystemRoot%\System32\Winevt\Logs\security.evtx ) and click OK. Right-click the Forwarded Events folder and select Properties. Replace the default Log path ( %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx ) by pasting the value from the Security log, and then click OK.
Configure a group policy to enable Windows Remote Management (WinRM) on the domain controllers.
Configure a group policy to enable Windows Event Forwarding on the domain controllers.
Configure User-ID for Numerous Mapping Information Sources
Configure User-ID for Numerous Mapping Information Sources
Configure Windows Log Forwarding on the member servers that will collect login events. Configure Windows Log Forwarding. This step requires administrative privileges for configuring group policies on Windows servers.
Install the Windows-based User-ID agent. Install the User-ID Agent on a Windows server that can access the member servers. Make sure the system that will host the User-ID agent is a member of the same domain as the servers it will monitor.
Configure the User-ID agent to collect user mapping information from the member servers. Start the Windows-based User-ID agent. Select User Identification > Discovery and perform the following steps for each member server that will receive events from domain controllers: In the Servers section, click Add and enter a Name to identify the member server. In the Server Address field, enter the FQDN or IP address of the member server. For the Server Type, select Microsoft Active Directory. Click OK to save the server entry. Configure the remaining User-ID agent settings: see Configure the User-ID Agent for User Mapping.
Configure an LDAP server profile to specify how the firewall connects to the Global Catalog servers (up to four) for group mapping information. To improve availability, use at least two Global Catalog servers for redundancy. You can collect group mapping information only for universal groups, not local domain groups (subdomains). Select Device > Server Profiles > LDAP, click Add, and enter a Name for the profile. In the Servers section, for each Global Catalog, click Add and enter the server Name, IP address ( LDAP Server), and Port. For a plaintext or Start Transport Layer Security ( Start TLS) connection, use Port 3268. For an LDAP over SSL connection, use Port 3269. If the connection will use Start TLS or LDAP over SSL, select the Require SSL/TLS secured connection check box. In the Base DN field, enter the Distinguished Name (DN) of the point in the Global Catalog server where the firewall will start searching for group mapping information (for example, DC=acbdomain,DC=com ). For the Type, select active-directory. Configure the remaining fields as necessary: see Add an LDAP server profile.
Configure an LDAP server profile to specify how the firewall connects to the servers (up to four) that contain domain mapping information. User-ID uses this information to map DNS domain names to NetBIOS domain names. This mapping ensures consistent domain/username references in policy rules. To improve availability, use at least two servers for redundancy. The steps are the same as for the LDAP server profile you created for Global Catalogs in the Step 4, except for the following fields: LDAP Server —Enter the IP address of the domain controller that contains the domain mapping information. Port —For a plaintext or Start TLS connection, use Port 389. For an LDAP over SSL connection, use Port 636. If the connection will use Start TLS or LDAP over SSL, select the Require SSL/TLS secured connection check box. Base DN —Select the DN of the point in the domain controller where the firewall will start searching for domain mapping information. The value must start with the string: cn=partitions,cn=configuration (for example, cn=partitions,cn=configuration,DC=acbdomain,DC=com ).
Create a group mapping configuration for each LDAP server profile you created. Select Device > User Identification > Group Mapping Settings. Click Add and enter a Name to identify the group mapping configuration. Select the LDAP Server Profile and ensure the Enabled check box is selected. Configure the remaining fields as necessary: see Map Users to Groups. If the Global Catalog and domain mapping servers reference more groups than your security rules require, configure the Group Include List and/or Custom Group list to limit the groups for which User-ID performs mapping. Click OK and Commit.

Related Documentation