Create and Manage Active Directory Profiles

date_range 26-Feb-25

arrow_backward

arrow_forward

Use the Create Active Directory Profile page to configure the IP address-to-user mapping information and the user-to-group mapping information to access the LDAP server.

Select SRX > Identity > Active Directory.
The Active Directory Profile page appears.
Click the + icon.

Complete the configuration according to the following guidelines:

Table 1: Fields on the Create Active Directory Profile Page
Field	Description
`General Information`
Name	Enter a unique string of alphanumeric characters including: Colons Periods Dashes Underscores The maximum length is 62 characters.
Description	Enter a description for the Active Directory profile. The maximum length is 255 characters.
`Add Domain Settings`
General
Domain Name	Enter the name of the domain. The maximum length is 64 characters. The SRX Series Firewall can have the integrated user firewall configured in a maximum of two domains. Example: example.net
Description	Enter a description for the LDAP server domain. The maximum length is 255 characters.
Domain Controller
Username	Enter the Active Directory account name. The range is 1 through 64 characters. Example: administrator
Password	Enter the password of the Active Directory account. The range is 1 through 128 characters. Example: $ABC123
Domain Controller	Click the plus sign to create new domain controllers. Domain Controller Name— Enter the name that can range from 1 through 64 characters. You can configure a maximum of 10 domain controllers. Address—IP address of the domain controller.
`User Group Mapping (LDAP)`
Credential Options	Select one of the following options. Use Domain Controllers username/password Specify username/password
Address	Specify the IP address of the LDAP server. If no address is specified, the system uses one of the configured Active Directory domain controllers. Example: 192.0.2.15
Port	Specify the port number of the LDAP server. If no port number is specified, the system uses port 389 for plain text or port 636 for encrypted text.
Base DN	Enter the LDAP base distinguished name (DN). Example: DC=example,DC=net
Username	Enter the username of the LDAP account. If no username is specified, the system will use the configured domain controller’s username. Example: administrator
Password	Enter the password for the account. If no password is specified, the system uses the configured domain controller’s password.
Advanced
SSL	Click the toggle button to enable Secure Sockets Layer (SSL) to ensure secure transmission with the LDAP server. This field is disabled by default and the password is sent in plain text.
Authentication Algorithm	Click the toggle button to specify the algorithm used while the SRX Series Firewall communicates with the LDAP server. By default, `simple` is selected to configure simple (plain text) authentication mode.
`IP-User Mapping`
Event log scanning interval	Enter the scanning interval at which the SRX Series Firewall scans the event log on the domain controller. The range is 5 through 60 seconds.
Event log span	Enter the time of the earliest event log on the domain controller that the SRX Series Firewall will initially scan. This scan applies to the initial deployment only. After WMIC and the user identification start working, the SRX Series Firewall scans only the latest event log. The range is 1 through 168 seconds.
`Assign Device`
Device	Select these devices from the Available column and move to the Selected column. You can also search for the devices in the search field in both the Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag.
`Timeout`
Authentication Entry Timeout	Set the timeout to 0 to avoid having the user's entry being removed from the authentication table after the timeout. Note that when a user is no longer active, a timer starts for that user’s entry in the Active Directory authentication table. When the time is up, the user’s entry is removed from the table. Entries in the table remain active as long as there are sessions associated with the entry. The default authentication entry timeout is thirty minutes. To disable timeout, set the interval to zero. The range is 10 through 1440 minutes.
WMI Timeout	Configure the number of seconds that the domain PC has to respond to the SRX Series Firewall’s query through Windows Management Instrumentation (WMI) or Distributed Component Object Module (DCOM). If there is no response from the domain PC within the `wmi-timeout`interval, the probe fails and the system either creates an invalid authentication entry or updates the existing authentication entry as invalid. If an authentication table entry exists for the probed IP address, and no response is received from the domain PC within the `wmi-timeout` interval, the probe fails and that entry is deleted from the table. The range is 3 through 120 seconds.
`Filter`
Filter	Set the range of IP addresses that must be monitored or not monitored. Include—Specify to include IP addresses from the Available column. Exclude—Specify to exclude IP addresses from the Available column. Click Add New Address to create an IP address and add it as either include or exclude from monitoring.

Click OK.
A Summary page providing a preview of the complete configuration appears.

Manage Active Directory Profiles

Edit—Select the profile, and then click .
Clone—Select the profile, and then click More > Clone.
Delete—Select the profile, and then click . The selected profile is deleted from all the SRX Series Firewalls.

arrow_backward PREVIOUS Active Directory Profile Overview

NEXT arrow_forward Deploy an Active Directory Profile to SRX Series Firewalls

Juniper Security Director Cloud User Guide

Create and Manage Active Directory Profiles

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry