Prepare Your Environment

Requirements for Cisco Directory Connector

Windows and Active Directory Requirements

You can install Cisco Directory Connector on these supported Windows Servers:

Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2003

Note

To address a cookie issue, we recommend that you upgrade your domain controller to a release that contains the fix—Windows Server 2012 R2 or 2016.

Cisco Directory Connector is supported with the following Active Directory services:

Active Directory 2016

(Cisco Directory Connector is supported when using the latest version of Active Directory on Windows Server 2019)
Active Directory 2012
Active Directory 2008 R2
Active Directory 2008

Note the following additional requirements:

Cisco Directory Connector requires TLS1.2. You must install the following:
- .NET Framework v3.5 (required for the Cisco Directory Connector application. If you run into any issues, use the directions in Enable .NET Framework 3.5 by using the Add Roles and Features Wizard.)
- .NET Framework v.4.5 (required for TLS1.2)
Active Directory forest functional level 2 (Windows Server 2003) or higher is required. (See What Are Active Directory Functional Levels? for more information.)

Hardware Requirements

You must install Cisco Directory Connector on a computer with these minimum hardware requirements:

8 GB of RAM
50 GB of storage
No minimum for the CPU

Network Requirements

If your network is behind a firewall, ensure that your system has HTTPS (port 443) access to the internet.

Cisco Webex Organization Requirements

To access the Cisco Directory Connector software from Cisco Webex Control Hub, you require a Cisco Webex organization with a trial or any paid subscription.
(Optional) If you want new Webex Teams user accounts to be Active before they sign in for the first time, we recommend that you do the following:
- Add, verify, and optionally claim domains that contain the user email addresses you want to synchronize into the cloud.
- Do a single sign-on (SSO) integration of your Identity Provider (IdP) with your Webex organization.
- Suppress automatic email invites, so that new users won't receive the automatic email invitation and you can do your own email campaign. (This feature requires the SSO integration.)

Note

For more information, see User Statuses and Actions in Cisco Webex Control Hub.

Installation Requirements

For a multiple domain environment (either single forest or multiple forests), you must install one Cisco Directory Connector for each Active Directory domain. If you want to synchronize a new domain (B) while maintaining the synchronized user data on another existing domain (A), ensure that you have a separate supported Windows server to install Directory Connector for domain (B) synchronization.
For sign in to the connector, we do not require an administrative account in Active Directory. We require a local user account that is the same user as an full admin account in Cisco Webex Control Hub.

This local user must have privileges on that Windows machine to connect to the Domain Controller and read Active Directory user objects. The machine login account should be a computer administrator with privileges to install software on the local machine. (This information also applies to a Virtual Machine login.)
While signing in to the connector, the sign-in account must be the same as the full admin account for Control Hub. By default, the connector uses the local system account to access Active Directory. However, you can use Windows services to configure another account to access Active Directory. (This information also applies to a Virtual Machine login.)
Make sure that Windows Safe dynamic link library (DLL) search mode is enabled by using this procedure: Check SafeDllSearchMode in Windows Registry.
If you use AD LDS for multiple domains on a single forest, we recommend that you install Cisco Directory Connector and Active Directory Domain Service/Active Directory Lightweight Directory Services (AD DS/AD LDS) on separate machines.

Multiple Domain Requirements

Before you follow the tasks in Cisco Directory Connector Deployment Task Flow, keep the following requirements and recommendations in mind if you're going to synchronize Active Directory information from multiple domains into the cloud:

A separate instance of Cisco Directory Connector is required for each domain.
The Cisco Directory Connector software must run on a host that is on the same domain that it will synchronize.
We recommend that you verify or claim your domains in Cisco Webex Control Hub. (See Add, Verify, and Claim Domains.)
If you want to synchronize more than 50 domains, you must open a ticket to get your organization moved to a large org list.
If desired, you can synchronize room resource information along with user accounts. (See Synchronize On-Premises Room Information to the Cisco Webex Cloud.)

Sizing Information

Cisco Directory Connector works as a bridge between the on-premises Active Directory and the Webex cloud. As such, the connector does not have an upper limit for how many Active Directory objects can be synchronized to the cloud. Any limits on premises directory objects are tied to the specific version of and specifications for the Active Directory environment that is being synchronized to the cloud, not the connector itself.

A few factors can affect the speed of the synchronization:

The total number Active Directory objects. (A 5000 user sync job won't take as long as 50000.)
Network speed and bandwidth.
System workload and specifications.

Tip

If you are synchronizing more than 50000 users, we highly recommend that you use a second connector for failover and redundancy.

Note

Because several factors are involved with synchronization and because each deployment varies depending on the above factors, we cannot provide specific time values for how long an object synchronization will take.

Check SafeDllSearchMode in Windows Registry

Safe dynamic link library (DLL) search mode is set by default in the Windows registry and places the user's current directory later in the DLL search order. If this mode was somehow disabled, an attacker could place a malicious DLL (named the same as a referenced DLL file that is located in the system folder) into the current working directory of the application.

Usually, SafeDllSearchMode is enabled, but use this procedure to double-check the registry settings.

Before you begin

Caution

Changes to the Windows registry should be done with extreme caution. We recommend that you make a backup of your registry before using these steps.

Procedure

Step 1

In Windows search or the Run window, type regedit and then press Enter.

Step 2

Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager.

Step 3

Choose one:

SafeDllSearchMode isn't listed—No further action is needed.
SafeDllSearchMode is listed—Ensure that the value is set to 1.

For more information, see Dynamic Link Library Search Order.

Web Proxy Integration

If web proxy authentication is enabled in your environment, you can still use Cisco Directory Connector.

If your organization uses a transparent web proxy, it does not support authentication. The connector successfully connects and synchronizes users.

You can take one of these approaches:

Explicit web proxy through Internet Explorer (the connector inherits the web proxy settings)
Explicit web proxy through a .pac file (the connector inherits enterprise-specific proxy settings)
Transparent Proxy that works with the connector without any changes

Use a Web Proxy Through The Browser

You can set up Cisco Directory Connector to use a web proxy through Internet Explorer.

If the Cisco DirSync Service runs from a different account than the currently signed in user, you also need to sign in with this account and configure web proxy.

Procedure

Step 1

From Internet Explorer, go to Internet Options, click Connections, and then choose LAN Settings.

Step 2

Point the Windows instance where the connector is installed at your web proxy. The connector inherits these web proxy settings.

Step 3

If your environment uses proxy authentication, add these URLs to your allowed list:

cloudconnector.webex.com for synchronization.
idbroker.webex.com for authentication.

You may perform this either site-wide (for all hosts) or just for the host that has the connector.

Note

If you add these URLs to an allowed list to completely bypass your web proxy, make sure your firewall ACL table is updated to permit the connector host to access the URLs directly.

Configure Web Proxy Through a PAC file

You can configure a client browser to use a .pac file. This file supplies the web proxy address and port information. Cisco Directory Connector directly inherits the enterprise-specific web proxy configuration.

Procedure

Step 1

For the connector to successfully connect and sync user information to the Cisco Webex cloud, make sure proxy authentication is disabled for cloudconnector.webex.com in the .pac file configuration for the host where the connector is installed.

Step 2

If your environment uses proxy authentication, add these URLs to your allowed list:

cloudconnector.webex.com for synchronization.
idbroker.webex.com for authentication.

You may perform this either site-wide (for all hosts) or just for the host that has the connector.

Note

If you add these URLs to an allowed list to completely bypass your web proxy, make sure your firewall ACL table is updated to permit the connector host to access the URLs directly.

NTLM Proxy

Cisco Directory Connector supports NT LAN Manager (NTLM). NTLM is one approach to support Windows authentication among the domain devices and ensure their security.

NTLM Design

In most cases, a user wants to access another workstation resources through a client PC, which can be difficult to do in a secure way.

Generally, the technical design of NTLM is based on a mechanism of "Challenge" and "Response":

A user signs in to a client PC through a Windows account and password. The password is never saved locally. Instead of a plain text password, a hash value of the password is stored locally. When a user signs in through the password to the client, Windows OS compares the stored hash value and hashed value from the input password. If both are the same, the authentication passes.

When the user wants to access any resource in another server, the client sends a request to the server with the account name in plain text.
When the server receives the request, the server generates a 16-bit random key. The key is called Challenge (or Nonce). Before the server sends back to the client, the challenge is stored in the server. And then the server sends the challenge to the client in plain text.
As soon as the client receives the challenge sent from server, the client encrypts the challenge by the hash value that was mentioned in Step 1. After encryption, the value is sent back to the server.
When the server receives the encrypted value from the client, the server sends it to the domain controller for verification. The request includes: the account name, encrypted challenge which the client sent, and the original plain challenge.
The domain controller can retrieve the hash values of password according to account name. And then the domain controller can encrypt on the original challenge. The doman controller can then compare with the received hash value and the encrypted hash value. If they are same, the verification is successful.

Note

Windows has security authentication built into the operating system, making it easier for applications to support security authentication. As a result, you don't need to complete further configuration.

Configure Transparent Proxy

In this scenario, the browser is unaware that a transparent web proxy is intercepting http requests (port 80/port 443) and no client-side configuration is required.

Procedure

Step 1	Deploy a transparent proxy, so that the connector can connect and synchronize users.
Step 2	Confirm that the proxy is successful—you see an expected browser authentication popup window when starting the connector.

Set Proxy Authentication

Add the URL cloudconnector.webex.com to your allowed list by creating an Access Control List.

On your enterprise firewall server:

Procedure

Step 1	Enable DNS lookup if not already enabled.
Step 2	Determine an estimated bandwidth for this connection (at approximately 2 mb/s or less for the connector). This may not be required.
Step 3	Create an Access Control List to apply to the connector host, and specify cloudconnector.webex.com as the target to add to the allowed list. For example: `access-list 2000 acl-inside extended permit TCP [IP of the connector] cloudconnector.webex.com eq https`
Step 4	Apply this ACL to the appropriate firewall interface, which is only applicable for this single connector host.
Step 5	Ensure that the rest of the hosts in your enterprise are still required to use your web proxy by configuring the appropriate implicit deny statement.

Deployment Guide for Cisco Directory Connector

Book Title

Chapter Title

Results

Chapter: Prepare Your Environment

Prepare Your Environment

Requirements for Cisco Directory Connector

Windows and Active Directory Requirements

Hardware Requirements

Network Requirements

Cisco Webex Organization Requirements

Installation Requirements

Multiple Domain Requirements

Sizing Information

Check SafeDllSearchMode in Windows Registry

Before you begin

Procedure

Web Proxy Integration

Web Proxy Integration

Use a Web Proxy Through The Browser

Procedure

Configure Web Proxy Through a PAC file

Procedure

NTLM Proxy

NTLM Design

Configure Transparent Proxy

Procedure

Set Proxy Authentication

Procedure

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions