Integrating external directory servers

You can use an external directory server to store user group and user information instead of or in addition to the internal user database.

The external directory server can be an LDAP server, or a Microsoft Active Directory server that provides LDAP services.

You can use an external directory server without integrating it with the SMC components. You can view user information and use it for authentication against an external authentication service simply by allowing the SMC components to connect to the LDAP database.

The Management Server and the NGFW Engines each use their own integrated LDAP client to query the external LDAP directory directly. The external LDAP directory is not replicated into the internal directory on the Management Server or into the local directory of the NGFW Engines. Instead, the external LDAP directory is queried separately each time by the NGFW Engines each time a user attempts to authentication. The external LDAP directory is also queried separately Management Server when you view the User elements in the Management Client.

You can configure access to the directory server for both the Management Server and the NGFW Engines, or for the NGFW Engines only. To take full advantage of user authentication features, we recommend configuring access to the directory server for both the Management Server and the NGFW Engines.

Configuring access to the external directory server for both the NGFW Engines and the Management Server allows the following:
  • There is no need to manually duplicate user account information. User and User Group elements are automatically added to the SMC from the external directory.
  • Externally stored user accounts are shown in the Management Client and can be used to create different rules for different users.
  • In most cases, users can be also added, removed, and edited through the Management Client.
  • Internal authentication methods can be used to authenticate externally stored users.

If only the NGFW Engines can access the external directory server, the following restrictions apply:

  • You can authenticate externally stored users only against authentication methods provided by an external authentication server. Internal authentication methods are not available for externally stored users.
  • A single element (User element named *external*) is used to represent all externally stored users in the Firewall Policy. It is not possible to create different rules for different externally stored users.