Deployment Guide for Directory Connector

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Deployment Guide for Directory Connector

Chapter Title

Prepare Your Environment for Directory Connector

Results

Updated:
January 27, 2023

Chapter: Prepare Your Environment for Directory Connector

Prepare Your Environment for Directory Connector

Requirements for Directory Connector

Windows and Active Directory Requirements

You can install Directory Connector on these supported Windows Servers:

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2012 R2

  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows Server 2003


Note

To address a cookie issue, we recommend that you upgrade your domain controller to a release that contains the fix—Windows Server 2012 R2 or 2016.

Directory Connector is supported with the following Active Directory services:

  • Active Directory 2016

    (Directory Connector is supported when using the latest version of Active Directory on Windows Server 2019)

  • Active Directory 2012

  • Active Directory 2008 R2

  • Active Directory 2008

Note the following additional requirements:

Hardware Requirements

You must install Directory Connector on a computer with these minimum hardware requirements:

  • 8 GB of RAM

  • 50 GB of storage

  • No minimum for the CPU

Network Requirements

If your network is behind a firewall, ensure that your system has HTTPS (port 443) access to the internet.

Webex Organization Requirements

  • To access the Directory Connector software from Control Hub, you require a Webex organization with a trial or any paid subscription.

  • (Optional) If you want new Webex App user accounts to be Active before they sign in for the first time, we recommend that you do the following:


Note

For more information, see User Statuses and Actions in Control Hub.

Installation Requirements

  • For a multiple domain environment (either single forest or multiple forests), you must install one Directory Connector for each Active Directory domain. If you want to synchronize a new domain (B) while maintaining the synchronized user data on another existing domain (A), ensure that you have a separate supported Windows server to install Directory Connector for domain (B) synchronization.

  • For sign in to the connector, we do not require an administrative account in Active Directory. We require a local user account that is the same user as an full admin account in Control Hub.

    This local user must have privileges on that Windows machine to connect to the Domain Controller and read Active Directory user objects. The machine login account should be a computer administrator with privileges to install software on the local machine. (This information also applies to a Virtual Machine login.)

  • While signing in to the connector, the sign-in account must be the same as the full admin account for Control Hub. By default, the connector uses the local system account to access Active Directory. However, you can use Windows services to configure another account to access Active Directory. (This information also applies to a Virtual Machine login.)

  • Make sure that Windows Safe dynamic link library (DLL) search mode is enabled by using this procedure: Check SafeDllSearchMode in Windows Registry.

  • If you use AD LDS for multiple domains on a single forest, we recommend that you install Directory Connector and Active Directory Domain Service/Active Directory Lightweight Directory Services (AD DS/AD LDS) on separate machines.

Multiple Domain Requirements

Before you follow the tasks in Cisco directory connector Deployment Task Flow, keep the following requirements and recommendations in mind if you're going to synchronize Active Directory information from multiple domains into the cloud:

  • A separate instance of Directory Connector is required for each domain.

  • The Directory Connector software must run on a host that is on the same domain that it will synchronize.

  • We recommend that you verify or claim your domains in Control Hub. (See Add, Verify, and Claim Domains.)

  • If you want to synchronize more than 50 domains, you must open a ticket to get your organization moved to a large org list.

  • If desired, you can synchronize room resource information along with user accounts. (See Synchronize On-Premises Room Information to the Webex Cloud.)

Active Directory Group Recommendations for Automatic License Assignment

Active Directory groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

There are two types of groups in Active Directory:​

  • Distribution groups—Used to create email distribution lists.​

  • Security groups—Used to assign permissions to shared resources.

Consider the following guidelines when creating groups in Active Directory:

  • Create a global group for each role, department or service (such as Sales, Marketing, Managers, Accountants, Webex Licensing, and so on).​

  • Use standard naming conventions across your organization to make it easy to identify important information about a group. Group names can include details about the group, such as the level of access, type of resource, level of security, group scope, mail capability, and so on. for example, the group name “GSG_Webex_Licensing_EMEAR” refers to a Global Security Group for Webex Licensing EMEAR users.​

  • Organize groups in an easy-to-understand way, such as by geography or managerial hierarchy. Use group descriptions to completely describe the purpose of the group.

  • Before adding users to newly provisioned groups, define the Auto License Group Template in Control Hub for those groups. See Set Up Your Automatic License Assignment Template for more information.

Sizing Information

Directory Connector works as a bridge between the on-premises Active Directory and the Webex cloud. As such, the connector does not have an upper limit for how many Active Directory objects can be synchronized to the cloud. Any limits on premises directory objects are tied to the specific version of and specifications for the Active Directory environment that is being synchronized to the cloud, not the connector itself.

A few factors can affect the speed of the synchronization:

  • The total number Active Directory objects. (A 5000 user sync job won't take as long as 50000.)

  • Network speed and bandwidth.

  • System workload and specifications.


Tip

If you are synchronizing more than 50000 users, we highly recommend that you use a second connector for failover and redundancy.

Note

Because several factors are involved with synchronization and because each deployment varies depending on the above factors, we cannot provide specific time values for how long an object synchronization will take.

Check SafeDllSearchMode in Windows Registry

Safe dynamic link library (DLL) search mode is set by default in the Windows registry and places the user's current directory later in the DLL search order. If this mode was somehow disabled, an attacker could place a malicious DLL (named the same as a referenced DLL file that is located in the system folder) into the current working directory of the application.

Usually, SafeDllSearchMode is enabled, but use this procedure to double-check the registry settings.

Before you begin


Caution

Changes to the Windows registry should be done with extreme caution. We recommend that you make a backup of your registry before using these steps.

Procedure

Step 1

In Windows search or the Run window, type regedit and then press Enter.

Step 2

Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager.

Step 3

Choose one:

  • SafeDllSearchMode isn't listed—No further action is needed.
  • SafeDllSearchMode is listed—Ensure that the value is set to 1.

For more information, see Dynamic Link Library Search Order.

Web Proxy Integration

Web Proxy Integration

If web proxy authentication is enabled in your environment, you can still use Directory Connector.

If your organization uses a transparent web proxy, it does not support authentication. The connector successfully connects and synchronizes users.

You can take one of these approaches:

  • Explicit web proxy through Internet Explorer (the connector inherits the web proxy settings)

  • Explicit web proxy through a .pac file (the connector inherits enterprise-specific proxy settings)

  • Transparent Proxy that works with the connector without any changes

Use a Web Proxy Through The Browser

You can set up Directory Connector to use a web proxy through Internet Explorer.

If the Cisco DirSync Service runs from a different account than the currently signed in user, you also need to sign in with this account and configure web proxy.

Procedure

Step 1

From Internet Explorer, go to Internet Options, click Connections, and then choose LAN Settings.

Step 2

Point the Windows instance where the connector is installed at your web proxy. The connector inherits these web proxy settings.
Step 3

If your environment uses proxy authentication, add these URLs to your allowed list:

  • cloudconnector.webex.com for synchronization.
  • idbroker.webex.com for authentication.
  • idbroker-static.webex.com for providing static resources, such as font, js components, etc.

You may perform this either site-wide (for all hosts) or just for the host that has the connector.

Note 

If you add these URLs to an allowed list to completely bypass your web proxy, make sure your firewall ACL table is updated to permit the connector host to access the URLs directly.

Step 4

If your environment needs to request Certificate Revocation Lists from Certificate Authorities, add these URLs to your allowed list:

  • *.quovadisglobal.com
  • *.digicert.com
  • *.godaddy.com
  • *.identrust.com
  • *.lencr.org

For more information, see this article about domains and URLs that need to be accessed for Webex Services.

Configure Web Proxy Through a PAC file

You can configure a client browser to use a .pac file. This file supplies the web proxy address and port information. Directory Connector directly inherits the enterprise-specific web proxy configuration.

Procedure

Step 1

For the connector to successfully connect and sync user information to the Webex cloud, make sure proxy authentication is disabled for cloudconnector.webex.com in the .pac file configuration for the host where the connector is installed.

Step 2

If your environment uses proxy authentication, add these URLs to your allowed list:

  • cloudconnector.webex.com for synchronization.
  • idbroker.webex.com for authentication.
  • idbroker-static.webex.com for providing static resources, such as font, js components, etc.

You may perform this either site-wide (for all hosts) or just for the host that has the connector.

Note 

If you add these URLs to an allowed list to completely bypass your web proxy, make sure your firewall ACL table is updated to permit the connector host to access the URLs directly.

Step 3

If your environment needs to request Certificate Revocation Lists from Certificate Authorities, add these URLs to your allowed list:

  • *.quovadisglobal.com
  • *.digicert.com
  • *.godaddy.com
  • *.identrust.com
  • *.lencr.org

For more information, see this article about domains and URLs that need to be accessed for Webex Services.

NTLM Proxy

Directory Connector supports NT LAN Manager (NTLM). NTLM is one approach to support Windows authentication among the domain devices and ensure their security.

NTLM Design

In most cases, a user wants to access another workstation resources through a client PC, which can be difficult to do in a secure way.

Generally, the technical design of NTLM is based on a mechanism of "Challenge" and "Response":

  1. A user signs in to a client PC through a Windows account and password. The password is never saved locally. Instead of a plain text password, a hash value of the password is stored locally. When a user signs in through the password to the client, Windows OS compares the stored hash value and hashed value from the input password. If both are the same, the authentication passes.

    When the user wants to access any resource in another server, the client sends a request to the server with the account name in plain text.

  2. When the server receives the request, the server generates a 16-bit random key. The key is called Challenge (or Nonce). Before the server sends back to the client, the challenge is stored in the server. And then the server sends the challenge to the client in plain text.

  3. As soon as the client receives the challenge sent from server, the client encrypts the challenge by the hash value that was mentioned in Step 1. After encryption, the value is sent back to the server.

  4. When the server receives the encrypted value from the client, the server sends it to the domain controller for verification. The request includes: the account name, encrypted challenge which the client sent, and the original plain challenge.

  5. The domain controller can retrieve the hash values of password according to account name. And then the domain controller can encrypt on the original challenge. The doman controller can then compare with the received hash value and the encrypted hash value. If they are same, the verification is successful.


Note

Windows has security authentication built into the operating system, making it easier for applications to support security authentication. As a result, you don't need to complete further configuration.

Configure Transparent Proxy

In this scenario, the browser is unaware that a transparent web proxy is intercepting http requests (port 80/port 443) and no client-side configuration is required.

Procedure

Step 1

Deploy a transparent proxy, so that the connector can connect and synchronize users.
Step 2

Confirm that the proxy is successful—you see an expected browser authentication popup window when starting the connector.

Set Proxy Authentication

Add the URL cloudconnector.webex.com to your allowed list by creating an Access Control List.

On your enterprise firewall server:

Procedure

Step 1

Enable DNS lookup if not already enabled.
Step 2

Determine an estimated bandwidth for this connection (at approximately 2 mb/s or less for the connector). This may not be required.

Step 3

Create an Access Control List to apply to the connector host, and specify cloudconnector.webex.com as the target to add to the allowed list.

For example:

access-list 2000 acl-inside extended permit TCP [IP of the connector] cloudconnector.webex.com eq https
Step 4

Apply this ACL to the appropriate firewall interface, which is only applicable for this single connector host.
Step 5

Ensure that the rest of the hosts in your enterprise are still required to use your web proxy by configuring the appropriate implicit deny statement.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco