We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How do I configure Active Directory integration with the DC Agent on my Barracuda Web Filter?

  • Type: Knowledgebase
  • Date changed: one year ago

Solution #00002865

How do I configure Active Directory integration with the DC Agent on my Barracuda Web Filter?

 

Scope:
All Barracuda Web Filters, all firmware versions, all networks running Windows 2003 domain controllers and 2003 Active Directory should use version 6.0.0.32 . While DC Agent versions 2.14 to 6.0 also support Windows 2008 domain controllers 4.6 fixed memory leak issues and should now update to the latest available version from the UI download link, DC Agent versions 6.0 and above also support Windows 2012 and should be updated as needed. Important note: Core versions are not supported. 6.0 agents and up now also need Active Directory bind account information configured as well as the Web Filter's IP address configured under the "Appliances" tab, located within DC Agent program. If your Web Filter only supports up to 4.5.x version of Web Filter firmware you will need to contact support, since the last available version is v4.3 DC Agent on the 4.5 Web Filter firmware.

 

Please see solution #00006621 for download links for older DC agent


Answer:

While the Barracuda Web Filter can be integrated with any LDAP or Active Directory servers, the DC Agent may only be used with 2003, 2008, and 2012 versions of Active Directory. The DC Agent must be installed onto each of your domain controllers that will see any login event from your users in order to function properly.

 

!! IMPORTANT !!

·         If you have only one domain (ex. abc.com) you only need one authentication service which usually is the primary domain controller to which you give an alias during setup process. All non-primary domain controllers on network (same abc.com domain) must have DC Agent installed, and be linked to that primary server alias.

 

·         If you have multiple domains (ex. abc.com and xyz.com), each domain must be listed in authentication service with a different alias for each domain, in this setup you also just need each domain's primary domain controller to be listed as authentication server for corresponding domain (alias). All installed DC Agents must be linked to the corresponding server alias.

 

·         In multiple domain scenario you have an option to “Aggregate Active Directory Domains “ – when set to Yes this will look at both domains as if they were one and the same domain. This is useful in creating exceptions when you have the same user that belongs to both domains (ex. [2]joe@abc.com and [3]joe@xyz.com), then you can create an exception using the first server alias in the authentication list, and exception will apply to user in both domains.

 

·         If you select No to “Aggregate Active Directory Domains “ each domain will be treated separately, and exceptions will need to be created on per domain basis.

 

Web Security Gateway configuration

Navigate to the Users/Groups > Authentication Services or Users/Groups > Authentication page, select the LDAP tab, and fill out all of the needed information:

 

*Server Alias - Label for this LDAP server configuration. Maximum 10 characters.
*LDAP Server - The IP address of your LDAP or Active Directory server.
*Server Type – choose among Active Directory, Novell eDirectory, Open Directory, Open LDAP,
Other LDAP.
*LDAP Port - The port used by your LDAP or Active Directory server. The default is port 389.
*LDAP Encryption - for encrypting any communications traffic passing between Our authentication services and your LDAP / AD server.
*Bind DN - The distinguished name (DN) of a user in your LDAP directory that has read access to all the users in LDAP. The Barracuda Web Filter uses the distinguished name to look up users in the LDAP database so the users can be assigned to exception policies and displayed on the Users/Groups > Accounts View page.
*Bind Password - The password for the user you specified in the Bind DN field.
*LDAP Search Base - The base distinguished name (DN) for the directory. For example, if your domain is test.com, your base DN might be dc=test,dc=com.
*UID Attribute - The attribute that contains the user's ID. For Active Directory, it is recommended that you use sAMAccountName. For OpenLDAP, it is recommended that you use uid.

 

Barracuda DC Agent

Installing the DC Agent on your network will allow the Barracuda Web Filter to associate outgoing web requests with Active Directory users, log their activity, and apply user-specific or group-specific policies to outgoing connections without requiring users to log into the Barracuda Web Filter.

 

First, you will need to configure the Barracuda Web Filter to work with your Active Directory server on the Users/Groups > Authentication Services or Users/Groups > Authentication page. You will need one +

authentication service for each Active Directory domain. This page lets you specify the location of your LDAP server so your Barracuda Web Filter can:

 

*Authenticate users using LDAP
*Authenticate user group membership using LDAP
*Allow you to assign exception policies to LDAP users.

 

The Barracuda DC Agent 7.1.x and higher does not support Windows Server 2003. If you are running Windows Server 2003, please contact Barracuda Technical Support. Otherwise, download the Barracuda DC Agent from the USERS/GROUPS>Authentication page of the Barracuda Web Filter web interface.

 

!! DC Agent 5.0 and below, please contact Barracuda Networks Technical Support!!

 

DC Agent 6.x and 7.1.x

To Install the new DC agent software, once you have downloaded “DCAgent.exe”, right click on the file and Run as Admin, and follow the instructions in the wizard. When going through the steps in the installation wizard, all settings normally should be left at default. The required setting to configure should be:
A. the Domain information is added for your domain and saved
B. The IP address of the allowed Barracuda Web filter in the Appliance tab/page.

After the Barracuda DC Agent is installed and running correctly, launch the application and complete the following steps.

1. Define location and login credentials for your Active Directory. Click the Active Directories tab and click the green + sign to add a domain.

1.  Select Local if you installed the DC Agent on the Domain Controller; select Remote if you installed on another machine on the network.
2. If you selected Remote, enter the Fully Qualified Domain Name (FQDN) in the Host field.
3. Enter a name for referring to the domain, e.g. 'Finance', 'Salesnet', etc.
4. The Username should be associated with permissions to run WMI queries on the domain controller. Enter that user's Password and click OK.
5. Click Test to verify connectivity with the domain controller.

2.       On the Filters tab, specify the IP Address for any client PCs or networks for which you don't want the DC Agent to capture and send login information to your Barracuda Networks products. These are exceptions and associated login events and will be ignored by the DC Agent.

 

3.       On Appliances tab add the internal IP Address and a Description for each Barracuda Networks Web Filter which you want to use the DC Agent for.

 

 

4.      On the Settings tab add the Appliance Listening Port - If required, you can change the TCP listening port. Make sure that you also specify the same port on all configured Barracuda Networks products. Default is port 5049.

 

5.      Check the services currently running on your Domain Controller itself and make sure the Barracuda DC Agent is set to Automatic and turned on.

 

Listening for Logon Events

In order for the DC Agent to pick up the user names we need all domain controllers to enable logon event on domain controller:

 

 

Windows Server 2003 configuration

 

1. Open Domain Controller Security Policy under Start > Programs > Administrative Tools. Be sure to open Domain Controller Security Policy and not Domain Security Policy, as the Domain Controller Security Policy takes precedence over any Domain Security Policy that may be configured (for each domain controller specifically).

 

2. Click on Local Policies, and then Audit Policy.

 

3. Make sure both "Audit account logon events" and "Audit logon events" have Success in the Security Setting column.  If they don't, right click on the setting and choose Properties.  Check the "Success" box and click OK.

 

4. Once the event tracking is turned on, all new logon events will trigger updates to the Barracuda. So be patient with the process after you have turned it on.

 

 

 

 

 

Windows Server 2008 configuration

 

1. Navigate to Start > Administrative Tools > Local Security Policy.

 

2. Click on Local Policies > Audit Policy.

 

3. Make sure both "Audit account logon events" and "Audit logon events" have Success in the Security Setting column.  If they don't, right click on the setting and choose Properties.  Check the "Success" box and click OK.

 

4. Once the event tracking is turned on, all new logon events will trigger updates to the Barracuda Web Filter. It may take time to start tracking new events, please be patient.

 

 

 

 

 

Windows Server 2012 configuration

 

1. Open the Server Manager.

 

2. Click on Tools > Local Security Policy.

 

3. Click on Local Policies and then Audit Policy

 

4. Make sure both "Audit account logon events" and "Audit logon events" have Success in the Security Setting column.  If they don't, right click on the setting and choose Properties.  Check the "Success" box and click OK.

 

5. Once the event tracking is turned on, all new logon events will trigger updates to the Barracuda Web Filter. It may take time to start tracking new events, please be patient.


 

!!!!!! Please note !!!!!!

In some cases adding success to both Audit account logon events and Audit logon events is not possible and they are grayed out and the fix is to:

·         from the left pane Expand the advanced Audit Policy configuration  and then, Expand system audit policies - local group and Click on logon/logoff and in the middle pane add success to Audit logon

 

 

 

Checking Installed DC Agent connectivity

If the DC Agent has been installed and is running on each relevant domain controller, you can verify it is working by going to the Advanced > Troubleshooting page of the Web Filter's interface and entering the IP address of the Domain Controller you are testing, followed by port 5049, in the telnet field. It should look something “192.168.3.67 5049”. Once this has been entered, click the Begin Telnet button. If the Barracuda is able to communicate properly with the domain controller, you should see something like this:

 

$ telnet 192.168.3.67 5049

Trying 192.168.3.67...

Connected to 192.168.3.67.

Escape character is '^]'.

!!!! Note !!!!

If you do not see the 'Connected to' message, the Barracuda Web Filter is not able to communicate with the specified DC Agent on Domain Controller on the necessary port 5049.

 

 

Once connectivity to your domain controllers has been verified, check to make sure the DC Agent is properly generating network logon events. You can do this by logging onto your domain controllers and:

A.      Windows Server 2003:  navigating to Start > Programs > Administrative Tools > Event Viewer. Click on SECURITY FILTER for 2003 or

 

B.      Windows Server 2008 & 2012: Open the Server Manager Click on Tools >Event Viewer in the Event Viewer window expand Windows Logs and click on SECURITY. Now if you want, you can use Filter current log on right pane to only see the desired events (See NOTE below).

In here you should see Success Audits with Event IDs like 538 and 540 (Windows 2003), and 4624 (Windows 2008 and 2012). This means the domain controller is generating the proper Active Directory logon events, be sure the times are recent in the log.

NOTE:  Select the proper time for Logged (All events from date/time (this should be only since the DC agent was restarted or installed only, as older events are not picked up to pass a second time, only newer events are.),

<ALL event IDs> just type in 4624 here,

Keywords: for Audit Success only as this is what is used only for AD LDAP, these also have to be True logon Types, not cached or other types.

!!!! NOTE !!!!
If you are on a Windows 2012 Domain Controller, and the 4624 event ID's are not being generated, make sure under the Tools > Local Security Policies > Advanced Audit Policy Configuration > Logon/Logoff > Audit Logon is set to success.

 

You will also need to configure the Barracuda Web Filter to use the DC agents. This is done on the Users/Groups > Configuration or Users/Groups > Authentication page under the DC Agent Configuration. After setting the Enable Single Sign On option to Yes, here's what you need to enter for each of your domain controllers:

 

*IP Address of Domain Controller - IP address of domain controller. If you have multiple domain controller The Barracuda Web Filter needs the IP address of the primary domain controller’s DC agent as well as other domain controller’s DC agent to poll the main domain controller’s DC Agent for the list of authenticated users.
*DC Agent Listening Port - The port used by the DC Agent to communicate with the Session Monitor on the Barracuda Web Filter. The recommended port number is 5049.
*Synchronization Interval - The time interval (in seconds) at which the Session Monitor polls the DC Agent for the list of authenticated users. The recommended value is 15 seconds.

Once all of this is finished, your Barracuda Web Filter should now properly associate web browsing with Active Directory users. If you would like to configure browsing rules based on the Active Directory identity of the browsing user, you may do so on the Block/Accept > Exceptions page.
In order to do this, under the Add Exception section select the desired Action for your policy then from the Applies to drop down menu choose LDAP user/Group once you have selected it, you are going to be able to lookup the LDAP user’s username using the button. Once you type in the username and click on lookup it will show the username in a new pop-up window. if the Active Directory server has been configured properly on the Web Filter, the Active Directory User/Group section should list your Active directory groups and users. You may then select these to specify which Active Directory users are subject to each particular exception you configure.

 

Additional Notes

In some cases, Barracuda DC Agent configuration changes may not be applied to a running Barracuda DC Agent process. If (after configuring everything above) the Barracuda DC Agent is not syncing with the Barracuda Web Filter, try restarting the Barracuda DC Agent process.

Also it is not always necessary to update the DC Agent version when updating the firmware on the web filter, as newer firmware versions are backwards compatible with older DC Agents. Please contact Barracuda Technical Support if authentication issues occur after firmware update.

 

If you are getting error Bad bind DN, error code 8, stronger authentication required, while configuring your LDAP authentication service that mean that your Domain Controller doesn’t support  LDAP_Simple_ Bind request.

You need to modify the Domain Controller security settings:

1.       Click Start > Run > gpedit.msc

2.       In the Group Policy Object Editor, select the following: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

3.      In this section, search for the following entries:
Domain Controller: LDAP Server signing requirements.
Network security: LDAP Client signing requirements

4.      To enable simple binds, set the above as follows:
Domain controller: LDAP server signing requirements = None
Network security: LDAP client signing requirements = Negotiate