Sync Users and Groups from Active Directory or LDAP

Applies To: WatchGuard Cloud

To synchronize users and groups from Active Directory or a Lightweight Directory Access Protocol (LDAP) database to your WatchGuard Cloud authentication domain, you must enable and configure directory sync. After you configure directory sync, WatchGuard Cloud connects to your external user database and adds all users and groups to your authentication domain at one time.

You cannot delete synced users and groups in WatchGuard Cloud. To remove a user or group from your WatchGuard Cloud authentication domain, you must delete the user or group from your Active Directory or LDAP server.

The Directory Sync tab is only visible for authentication domains with an Active Directory or LDAP server.

Requirements

To use the directory sync feature, the WatchGuard endpoint agent must be installed on your corporate network in a location that has Internet access and that can connect to your LDAP server. The agent enables communication between WatchGuard Cloud and your Active Directory or LDAP database. When you configure directory sync, you specify which computer to use to sync users and groups from your authentication domain to WatchGuard Cloud.

Before you continue, be aware of these requirements:

  • To use the AD Sync feature, you must install v1.18.02 or higher of the WatchGuard endpoint agent on your Active Directory or LDAP server
  • To use the advanced filter feature with AD sync, you must install v1.18.03 or higher of the WatchGuard endpoint agent on your Active Directory or LDAP server

If your account has a WatchGuard Endpoint Security license, the WatchGuard endpoint agent consumes an endpoint.

When you download the WatchGuard endpoint agent, we recommend that you verify the agent version number. If your account is not provisioned for a version of the agent that supports the AD Sync feature, you must contact WatchGuard Technical Support.

Configure Directory Sync

To sync users and groups from Active Directory or an LDAP database to your authentication domain, in WatchGuard Cloud:

  1. If you are a Service Provider, select the name of the managed subscriber account.
  2. Select Configure > Authentication Domains.
    The Authentication Domains page opens.

Screen shot of the Authentication Domains page

  1. Click the domain name to edit.
    The Update Authentication Domain page opens.

Screen shot of the Update Domain page, Users and Groups tab

  1. Select Directory Sync.

Screen shot of the Directory Sync tab on the Authentication Domain page

  1. Click Configure Directory Sync.
    The Directory Sync page opens.

Screen shot of the Directory Sync page.

  1. Download and install the WatchGuard endpoint agent. If you already have the WatchGuard endpoint agent installed on a computer that can connect to your Active Directory or LDAP server, go to Step 8.
    1. To download the WatchGuard endpoint agent, click Download the WatchGuard Endpoint Agent.
      The Download Agent Installer window opens.
    2. Select the type of computer you want to install the agent on.
    3. Click Download Agent.
      The agent installer downloads.
    4. When you download the WatchGuard endpoint agent, we recommend that you verify the agent version number. If your account is not provisioned for a version of the agent that supports the AD Sync feature, you must contact WatchGuard Technical Support.
      1. Right-click the downloaded WatchGuard Endpoint Agent file and select Properties.
        The WatchGuard Endpoint Agent Properties window opens.
      2. Select the Details tab.
        The Comments property shows the agent version.
    5. To start the installation, double-click the downloaded installer file. You must install the agent on a computer that has Internet access and that can connect to your LDAP or Active Directory server.
      The WatchGuard Endpoint Agent Installation Wizard opens.
    6. Click Next.
    7. Click Install.
    8. Click Finish.
      The agent is installed.
  2. On the Directory Sync page, next to the Hosts drop-down list, click the Refresh icon .
  3. From the Hosts drop-down list, select the computer to use to run the synchronization. The list contains all computers that have the WatchGuard endpoint agent installed.
  4. In the Service Account and Service Account Password text boxes, enter the credentials for an Active Directory user that has permissions to perform LDAP searches and binds.

Screen shot of the Directory Sync page.

  1. In the Synchronized User Attributes section, select whether this is an Active Directory server or other type of LDAP database. For other databases, you must specify each attribute value. You do not have to do this for Active Directory because the attribute values are known.
  2. If this not an Active Directory server, type a value for each attribute.
  3. From the Primary Server drop-down list, select the primary server to use for synchronization. This drop-down list shows the servers you added to your WatchGuard Cloud authentication domain.
  4. (Optional) From the Secondary Server drop-down list, select a backup server to use for synchronization.

Screen shot of the Directory Sync page.

  1. From the Synchronization Interval drop-down list, specify how often you want to synchronize users and groups from the LDAP database.
  2. Click Next.
    The Advanced Filter page opens.

Screen shot of the Advanced Filter settings.

  1. (Optional) To add a filter with an LDAP query to specify which groups or users to sync, click Add Advanced Filter. If you do not add a filter, all LDAP users and groups will sync to your authentication domain.
    The Advanced Filter window opens.

    To use the Advanced Filter feature, you must install v1.18.03 or higher of the WatchGuard endpoint agent.

Screen shot of the Advanced Filter settings.

  1. From the Filter Type drop-down list, select Filter by Query.
  2. Enter a Name for the filter.
  3. In the Query text box, enter an LDAP query. For example, to sync users that are member of the TestGroup group, your query is memberOf=CN=TestGroup,CN=Users,DC=myorg,DC=local.
  4. Click Add Filter.
  5. Click Save.
    The Update Authentication Domain page opens and you can see the details of your Directory Sync.

Screen shot of the Advanced Filter settings.

After you configure and save the directory sync settings, WatchGuard Cloud must register the computer that you selected to use for directory synchronization. This process can take up to four hours. When the registration completes, WatchGuard Cloud syncs with your Active Directory or LDAP database and adds your LDAP users and groups to your authentication domain.

After you configure a directory sync, you can see these details on the Directory Sync tab:

  • Host Name — The name of the computer that syncs users and groups from your Active Directory or LDAP server to WatchGuard Cloud.
  • Status — Indicates whether WatchGuard Cloud can connect to your LDAP server.
  • Last Sync — The date and time that WatchGuard Cloud most recently synced users and groups from your LDAP server.

To refresh this information, click the Refresh icon .

Manually Sync Users and Groups

After you configure a directory sync, WatchGuard Cloud syncs with your Active Directory or LDAP database at each synchronization interval and adds all users and groups from your Active Directory or LDAP database to your authentication domain in WatchGuard Cloud.

If you want to sync users outside of the specified synchronization schedule, you can manually sync users at any time.

To manually sync users:

  1. If you are a Service Provider, select the name of the managed subscriber account.
  2. Select Configure > Authentication Domains.

    The Authentication Domains page opens.

Screen shot of the Authentication Domains page

  1. Click the domain name to edit.

    The Update Authentication Domain page opens.

Screen shot of the Update Domain page, Users and Groups tab

  1. Select Directory Sync.
  2. Click Sync Directory.

Screen shot of the Directory Sync tab on the Authentication Domain page

Disable a Directory Sync

If you do not want to sync new users and groups to your authentication domain, you can disable the directory sync.

When you disable directory sync for an authentication domain, WatchGuard Cloud does not automatically sync with your Active Directory or LDAP database. Users and groups that have already synced to your authentication domain remain available, but WatchGuard Cloud does not automatically sync new users and groups or update existing users and groups.

If you disable a directory sync, you can still manually sync users and groups to your WatchGuard Cloud authentication domain.

To disable a directory sync, in WatchGuard Cloud:

  1. Select Configure > Authentication Domains.

    The Authentication Domains page opens.

Screen shot of the Authentication Domains page

  1. Click the domain name to edit.
    The Update Authentication Domain page opens.

Screen shot of the Update Domain page, Users and Groups tab

  1. Select Directory Sync.

Screen shot of the Directory Sync tab on the Authentication Domain page

  1. Disable the Directory Synchronization toggle.

See Also

WatchGuard Cloud Authentication Domains