This article applies to:
- WebMarshal 6.X and 7.X
- Microsoft Active Directory
Question:
- What are the requirements for the WebMarshal Active Directory (AD) connector?
- What are the requirements for WebMarshal to control users by AD login?
- Must all WebMarshal servers be installed on domain member computers?
Reply:
To use WebMarshal in an Active Directory environment, the WebMarshal server (all WebMarshal servers in an array) must be members of an AD domain.
- The Array Manager imports user and group information and must have access to the domain controller for this purpose.
- The Proxy service (on processing node servers) authenticates the user's credentials and must have access to the domain controller for this purpose.
Trustwave recommends that all servers in the array should be within the trusted network (not in a DMZ). Usually all servers and client workstations will be in the same AD domain. If any of the WebMarshal servers are in a DMZ, you must open Windows RPC ports in order to allow the user authentication.
- For details of the required ports, see Trustwave Knowledgebase article Q12087, What are the different installation scenarios for WebMarshal?
Domain Trust
You can install WebMarshal in an environment with multiple AD domains, so long as you set up the correct trust relationships. The domains hosting the WebMarshal servers must trust the domain where users are created (outgoing trust). Two-way trust is not required. If processing nodes are in a DMZ, this option could enhance security to some extent, but the RPC ports must still be open.
- For details of tested and supported AD domain trust relationships, see Trustwave Knowledgebase article Q11870, WebMarshal Authentication in Multiple Active Directory Domains.
Notes:
If the processing node servers must be in the DMZ and you cannot open the required ports for AD authentication, you can use IP Address authentication. IP Address authentication does not provide the same level of detail about individual users and their usage.