Deploy the AuthConnector

To create custom policy based on user and group names before those groups generate traffic, you must download the Symantec Auth Connector to at least one or member server. The Auth Connector connects to the Web Security Service and provides the user/group information from the Active Directory (AD). See About the Auth Connector Integration, which provides more detail about the Auth Connector agent footprint.

For heightened security, Symantec strongly recommends installing the Auth Connector on a dedicated server that is not routing web transactions to and from the WSS.

About Failover

To achieve failover, install Auth Connector on a second domain controller. If you install two Auth Connectors, you must designate one as the primary and one as the secondary; however, both must be installed on live systems as they both simultaneously connect to the WSS. If the primary domain controller goes down, the backup immediately assumes the task.

The Auth Connector is proxy-aware.

About Proxy Aware Capability

The Auth Connector is proxy-aware. If you prefer to route Auth Connector traffic through a proxy, you can manually configure the bcca.ini file to include proxy connection information. This is described in Step 7 below.

Technical Requirements

  • Direct Internet Requirement—The Auth Connector must have a direct connection to the internet. Do not allow the Auth Connector to connect through the same IPsec tunnel that goes to the WSS.

Member Servers Installation Prerequisites

  • Windows Server 2008 R2 is the minimum version on which the Auth Connector can be installed.
  • The installation requires:

    • The user performing the install be a member of the Domain to which the Auth Connector is installed.
    • The user have local administrative privileges on that machine.
  • The installation prompts for a username and password. These are configured as the account under which Auth Connector runs. The user name must be in the form ADDOMAIN\user or user@dns_domainname.com, where ADDOMAIN is the NetBios name of the active directory to which the server the Auth Connector is installed on is a member. The installation grants this user account the Log on as a service privilege.

    If the AD account password changes and the Auth Connector restarts, the Web Security Service cannot identify users until the password matches.

  • The Auth Connector requires that a newer Entrust CA certificate Entrust(2048) be installed on the Windows Server on which the Auth Connector runs. Verify this by browsing the Trusted Root Certification Authorities certificate list within the local machine store with mmc.exe and the certificates snap-in. If this Entrust certificated is not present in the list, you can update the CA certificates by downloading an update program from Microsoft at the following location: http://support.microsoft.com/kb/931125.

Procedure

Next Step