About the Auth Connector Integration
The Auth Connector is authentication agent specific to the Web Security Service. Installed on an Active Directory member server (Windows Server 2008 R2 is the minimum), it performs the following.
- Forwards user and group information to the WSS to allow custom policy based on group and/or user names before they begin generating traffic; without it, you must wait until users/groups generate traffic and then re-actively create policy.
- Monitors login and logout activity of domain users to build an IP-to-username-matrix.
- Informs the WSS of user login and logout activities to keep the IP-to-user-matrix updated; or maintains this matrix itself on the Domain Controller and pushes the updated matrix regularly to the Cloud.
If you are concerned about the scalability of your Domain Controller, install the Auth Connector onto member servers.
The Auth Connector is not required for all Access Methods. However, as mentioned above, the Auth Connector is required if you plan to create custom policy based on user and group names and in some methods view reports based on user/groups—the sole exception is Explicit Proxy without Captive Portal enabled because no authentication occurs. The following matrix illustrates the Auth Connector use cases.
- No—The Auth Connector is not required to process your web traffic through the Web Security Service; however, some functionality might be limited.
- Yes—The Auth Connector is unconditionally required for that Access Method.
- Pre-Traffic—For some methods, you can create policy after employees generate traffic without the Auth Connector deployed. However, if you require to define policy before traffic begins, you must install the Auth Connector.
|Access Method||Variations||Must Deploy||User Reporting||
Pre-traffic Policy Creation
|Captive Portal enabled||Yes|
|Explicit Over IPsec||No||Yes||Yes|
|Remote Users (Unified Agent or SEP)||
Includes Captive Portal
SEP with Seamless Authentication
*Yes—Required if you plan to enforce group-based policies.
No—Report-based user name policy only after users send traffic.
|Mobile Device Service (MDS)||All||Yes||-||-|
|Roaming Captive Portal enabled||Yes|
The Auth Connector comprises three communication footprints when completing a Web Security Service transaction.
A—Active Directory Connection
When all Domain Controllers are discovered, the Auth Connector calls a Microsoft API that creates a NETBIOS connection to each Domain Controller. By default, the Auth Connector queries the following information to send to the Web Security Service Control Pod.
- All Domain names that can be found
- All Users (SAM account names) from each domain
- All Security Groups from each domain
- All Members of each Security Group (for report filtering)
If you are employing the Firewall/VPN Access Method, there two methods that create and maintain the IP-to-User map; you select the method from the Auth Connector setup wizard:
Domain Controller Query: This is the default method for all Access Methods. The Domain Controller Query (DCQ) instructs the Auth Connector to query all the domain controllers in your AD to identify users by their IP address when they log on. Each domain controller is contacted every 10 seconds to ensure detection of all logged on users.The Auth Connector contacts the Web Security Service Control Pod through auth.threatpulse.net on port 443 and transfers the AD users and group names.
The Web Security Service returns IPsec endpoint information to the Auth Connector.
ACLogon Application: For very large enterprises with many domain controllers spread out across locations, the DCQ method might create scalability issues; some user logons might be missed because the domain controllers cannot respond fast enough. The alternative is the ACLogon App and make it available to each client system. See the About the ACLogon App section below.
Tip: Only install the Auth Connector on a server that does not require protection provided by the Web Security Service. Connections to the service will work, but all users connected to that datapod location display in reports as unauthenticated user .
Tip: It is possible to limit this list to specific users and groups.
The Auth Connector contacts the Web Security Service Control Pod through auth.threatpulse.net on port 443 and transfers the AD users and group names.
If the Auth Connector detects IPsec connections, it receives instructions from the Control Pod as to what Data Pods (including other locations) it must connect, then initiates and establishes the SSL connections when it must resolve an IP address to a user name. IPSec tunnels are determined by a network location defined in the Portal as a Firewall/VPN location and shows in a connected state.
User web requests connect to the Data Pod. The Web Security Service queries the Auth Connector for user, group name, or IP address verification, checks policy, and either proceeds with or denies the request.
If the Auth Connector detects connectivity from an iOS (SEP-Mobile), Android App, or the Unified Agent, the following occurs.
- The Auth Connector receives instructions to which Data Pods (including other locations) it must connect;
- When it must resolve group membership for the users that are passed to the data pod, it initiates and establishes the SSL connections.
Failure to allow the Auth Connector to connect to the Data Pod’s auth IP Reference: Authentication IP Addresses prevents proper group memebership identification, which causes group-based policies to fail.
The Web Security Service responds reasonably quickly to new AD integrations. After that, the Web Security Service automatically performs an AD refresh once a week to poll for newly added users.
Group memberships are identified through a different process, however. The Web Security Service re-queries group membership every 15 minutes (for active log-ins and users who are already authenticated).
- If you add a user to a new AD group and the user is not yet connected and authenticated, the Web Security Service identifies their group membership when they connect.
- If you add a user to a new AD group and the user is already authenticated, it can take nearly 15 minutes for the Web Security Service to re-query group membership.
To perform an on-demand retrieval of all user and group names, return to the Authentication > Auth Connector tab and click Synchronize with AD. Be advised that it might take up to 24 hours for you see the information in your portal. Avoid re-clicking the button more than once in a 24-hour period; doing so might overly clog the sync queue, causing slower results.
Symantec recommends this option for very large enterprises with many domain controllers spread out across locations. When first executed, the Logon Application authenticates to the Auth Connector over TCP port 80. The user log on name and IP address of the workstation are sent. The TCP connection then terminates. Upon a network change (such as WiFi enabled or IP address change), the ACLogon re-connects to the Auth Connector to regain the information.If only the ACLogon is used, the DCQ is disabled.
You must download the application and make it available to each client system. The easiest way to deploy it is through Active Directory logon and logoff scripts implemented through group policy and the group policy editor in the AD. Any updates to the ACLogon version are then applied to the software on the AD, not the endpoints. The application is very small and does not consume disk space on the endpoint device.
- By default, both the DCQ and ACLogon create IP mappings in the Auth Connector without a TTL. The Auth Connector configuration file (bcca.ini) can define a time-to-live (TTL) in seconds for IP mappings. This is done in the [CLSetup] section.
- Combining this with the ACLogon /interval seconds #### to periodically update the IP mapping keeps the Auth Connector table up to date. Also, the ACLogon /logout parameter triggers an update on any user logout or restart event to clear that IP’s entry.
Setup a GPO with a login/logout script.
Aclogon.exe /logoff /interval seconds 3600 Auth-Connector_hostname/IP
- In the Auth Connector's bcca.ini file, add ValidTTL 7200 in the [CLSetup] section.
The ACLogon authenticates to the Auth Connector every hour; if the Auth Connector does not receive an update from the ACLogon for that IP within two hours, the IP is removed from the mapping table. With /logoff specified for ACLogon, the IP is removed from the table if the user logs out, restarts, or shuts down the machine.
Obtain the application and release notes: ACLogon App [right-click]
- Reference: Required Locations, Ports, and Protocols.
- The Auth Connector is proxy-aware. If you prefer to route Auth Connector traffic through a proxy, you can manually configure the bcca.ini file to include proxy connection information. This step is provided the deployment topic or in Forward Specific User and Group Names to the Service.
- If you do not want all user and groups from your Active Directory to be sent to the Web Security Service, you can modify the bcca.ini file. See Forward Specific User and Group Names to the Service.