Sync Users, Groups, and Devices from Active Directory or LDAP
Applies To: WatchGuard Cloud
To synchronize users, groups, and devices from Active Directory or a Lightweight Directory Access Protocol (LDAP) database to your WatchGuard Cloud authentication domain, you must enable and configure directory sync. After you configure directory sync, WatchGuard Cloud connects to your external user database and adds all users, groups, and devices to your authentication domain at one time.
You cannot delete synced users and groups in WatchGuard Cloud. To remove a user or group from your WatchGuard Cloud authentication domain, you must delete the user or group from your Active Directory or LDAP server.
The Directory Sync tab is only visible for authentication domains with an Active Directory or LDAP server.
If you want to sync Active Directory or Entra ID (Azure Active Directory) users to AuthPoint, you add an external identity in AuthPoint. To learn more, go to Add User Accounts.
Requirements
To use the directory sync feature, the WatchGuard endpoint agent must be installed on your corporate network in a location that has Internet access and that can connect to your LDAP server. The agent enables communication between WatchGuard Cloud and your Active Directory or LDAP database. When you configure directory sync, you specify which computer to use to sync users, groups, and devices from your authentication domain to WatchGuard Cloud.
For Fireboxes to authenticate Active Directory and LDAP users, the Firebox must be able to connect to the Active Directory or LDAP server directly.
You can find the WatchGuard endpoint agent log files in this directory: %ProgramData%\Panda Security\Panda Aether Agent\Logs
Before you continue, be aware of these requirements:
- To use the AD Sync feature, you must install v1.18.02 or higher of the WatchGuard endpoint agent on your Active Directory or LDAP server
- To use the advanced filter feature with AD sync, you must install v1.18.03 or higher of the WatchGuard endpoint agent on your Active Directory or LDAP server
- You cannot use the users and groups that you sync to an authentication domain in WatchGuard Cloud with AuthPoint
If your account has a WatchGuard Endpoint Security license, the WatchGuard endpoint agent consumes an endpoint.
When you download the WatchGuard endpoint agent, we recommend that you verify the agent version number. If your account is not provisioned for a version of the agent that supports the AD Sync feature, you must contact WatchGuard Technical Support.
- Right-click the downloaded WatchGuard Endpoint Agent file and select Properties.
The WatchGuard Endpoint Agent Properties window opens. - Select the Details tab.
The Comments property shows the agent version.
- Open the Windows Start menu and search for Apps and features.
- To see the version number, select the Panda Endpoint Agent.
Configure Directory Sync
To sync users, groups, and devices from Active Directory or an LDAP database to your authentication domain, in WatchGuard Cloud:
- If you are a Service Provider, select the name of the managed subscriber account.
- Select Configure > Directories and Domain Services.
The Authentication Domains page opens.
- Click the domain name to edit.
The Update Authentication Domain page opens.
- Select Directory Sync.
- Click Configure Directory Sync.
The Directory Sync page opens.
- Download and install the WatchGuard endpoint agent. If you already have the WatchGuard endpoint agent installed on a computer that can connect to your Active Directory or LDAP server, go to Step 9.
- To download the WatchGuard endpoint agent, click Download the WatchGuard Endpoint Agent.
The Download Agent Installer window opens. - Select the type of computer you want to install the agent on.
- Click Download Agent.
The agent installer downloads. - When you download the WatchGuard endpoint agent, we recommend that you verify the agent version number. If your account is not provisioned for a version of the agent that supports the AD Sync feature, you must contact WatchGuard Technical Support.
- Right-click the downloaded WatchGuard Endpoint Agent file and select Properties.
The WatchGuard Endpoint Agent Properties window opens. - Select the Details tab.
The Comments property shows the agent version.
- Right-click the downloaded WatchGuard Endpoint Agent file and select Properties.
- To start the installation, double-click the downloaded installer file. You must install the agent on a computer that has Internet access and that can connect to your LDAP or Active Directory server.
The WatchGuard Endpoint Agent Installation Wizard opens. - Click Next.
- Click Install.
- Click Finish.
The agent is installed.
- To download the WatchGuard endpoint agent, click Download the WatchGuard Endpoint Agent.
- On the Directory Sync page, next to the Hosts drop-down list, click the Refresh icon .
- From the Hosts drop-down list, select the computer to use to run the synchronization. The list contains all computers that have the WatchGuard endpoint agent installed.
- In the Service Account and Service Account Password text boxes, enter the credentials for an Active Directory user that has permissions to perform LDAP searches and binds.
- In the Synchronized User Attributes section, select whether this is an Active Directory server or other type of LDAP database. For other databases, you must specify each attribute value. You do not have to do this for Active Directory because the attribute values are known.
- If this not an Active Directory server, type a value for each attribute.
- From the Primary Server drop-down list, select the primary server to use for synchronization. This drop-down list shows the servers you added to your WatchGuard Cloud authentication domain.
- (Optional) From the Secondary Server drop-down list, select a backup server to use for synchronization.
- From the Synchronization Interval drop-down list, specify how often you want to synchronize users and groups from the LDAP database.
- Click Next.
The Advanced Filter page opens.
- (Optional) To add a filter with an LDAP query to specify which groups or users to sync, click Add Advanced Filter. If you do not add a filter, all LDAP users and groups will sync to your authentication domain.
The Advanced Filter window opens.To use the Advanced Filter feature, you must install v1.18.03 or higher of the WatchGuard endpoint agent.
- From the Filter Type drop-down list, select Filter by Query.
- Enter a Name for the filter.
- In the Query text box, enter an LDAP query. For example, to sync users that are member of the TestGroup group, your query is (&(objectClass=user)(memberOf=CN=TestGroup,CN=Users,DC=myorg,DC=local)).
- Click Add Filter.
- Click Save.
The Update Authentication Domain page opens and you can see the details of your Directory Sync.
After you configure and save the directory sync settings, WatchGuard Cloud must register the computer that you selected to use for directory synchronization. This process can take up to four hours. When the registration completes, WatchGuard Cloud syncs with your Active Directory or LDAP database and adds to your authentication domain:
- Your LDAP users and groups
- Devices that belong to one of the Active Directory domains that you have added to this authentication domain
After you configure a directory sync, you can see these details on the Directory Sync tab:
- Host Name — The name of the computer that syncs users and groups from your Active Directory or LDAP server to WatchGuard Cloud.
- Status — Indicates whether WatchGuard Cloud can connect to your LDAP server.
- Last Sync — The date and time that WatchGuard Cloud most recently synced users and groups from your LDAP server.
To refresh this information, click the Refresh icon .
Manually Sync Users and Groups
After you configure a directory sync, WatchGuard Cloud syncs with your Active Directory or LDAP database at each synchronization interval and adds all users and groups and devices from your Active Directory or LDAP database to your authentication domain in WatchGuard Cloud.
If you want to sync users outside of the specified synchronization schedule, you can manually sync users at any time.
To manually sync users:
- If you are a Service Provider, select the name of the managed subscriber account.
- Select Configure > Directories and Domain Services.
The Authentication Domains page opens.
- Click the domain name to edit.
The Update Authentication Domain page opens.
- Select Directory Sync.
- Click Sync Directory.
Disable a Directory Sync
If you do not want to sync new users, groups, and devices to your authentication domain, you can disable the directory sync.
When you disable directory sync for an authentication domain, WatchGuard Cloud does not automatically sync with your Active Directory or LDAP database. Users, groups, and devices that have already synced to your authentication domain remain available, but WatchGuard Cloud does not automatically sync new users, groups, and devices or update existing users, groups, and devices.
If you disable a directory sync, you can still manually sync users, groups, and devices to your WatchGuard Cloud authentication domain.
To disable a directory sync, in WatchGuard Cloud:
- Select Configure > Directories and Domain Services.
The Authentication Domains page opens.
- Click the domain name to edit.
The Update Authentication Domain page opens.
- Select Directory Sync.
- Disable the Directory Synchronization toggle.