Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
620 Views 6 Replies Latest reply: Nov 4, 2013 3:51 AM by PhilM RSS
PhilM Champion 528 posts since
Jan 7, 2010
Currently Being Moderated

Nov 1, 2013 9:01 AM

AD/LDAP integration - Best Practice

I'm just looking into the process of populating the SaaS Email environment with users/accounts using a pre-existing Active Directory service.

 

Reading through the "Directory Integration" section of the Accunt Management Administration Guide, it would appear there are two options when using LDAP - Email Domain or AD Domain. The guide suggests that if you only have a single domain, that "Email Domain" is the option to go for and if there are multiple alias addresses present for different domains the "AD Domain" option should be pursued.

 

It then goes on to explain there is also a Directory Services Connector which can be used for this purpose, but that this requires ePO to be up and running on the network.

 

Given the customer environment I will be shortly working on is known to use multiple e-mail domains and there's every chance that users won't necessarily just have alias addresses with the same e-mail domain (bob.smith@acme.com, bobs@acme.com, bob@acme.com), but may also have alias addresses belonging to one or more additional e-mail domains (bob.smith@acme.com, bob.smith@acme-inc.com, bob.smith@acme-tools.com), I've concluded that AD Domain is the correct route to take.

 

However, when I select this as the Logical Structure option in Account Management -> Directory Integration -> Configuration, the system immediately seems to assume I will be Directory Services Connector.

 

As I know this customer is not a mainstream McAfee customer (they have Firewall Enterprise appliances, but ePO integration isn't a fundamental requirement) they do not currently have ePO deployed.

 

How can we acheive what I know the customer will need without being forced to install ePO and the Directory Services Connector?

 

Is it possible to create multiple EMail Domain entries for each domain name (primary or alias) registered to the customer's SaaS service?

 

Another question I have - with many AD environments using an 'internal' domain name, the user's primary e-mail address will often be associated with a different domain name. So to use the Bob Smith example his active directory domain address may well be bob.smith@acme_ad.local when his Internet e-mail address will be the aforementioned bob.smith@acme.com. (and the domain registered to SaaS will be the acme.com one), how will SaaS handle the creation of user accounts from LDAP?

 

Many Thanks

-Phil.

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    1. Nov 1, 2013 10:16 AM (in response to PhilM)
    Re: AD/LDAP integration - Best Practice

    Phil,

     

    The AD Domain structure utilizes a "Push" method of syncronizing the data from Active Directory, so is only possible with the Directory Services Connector and ePO.

     

    You can use the Email Domain option for multiple domains, it's just not quite as simple. For primary domains, Directory Integration must be set per-domain. For alias domains, those will be automatically inherited from the primary address. The only exception would be if there are alias usernames in addition to the alias domains (bob@domaina.com and bsmith@domainalias.com), then you may need to ensure there is a proxy address entry for bsmith at the primary address as well.

     

    As far as the .local addresses, those will be discarded. As long as an email address exists in proxyAddresses at the primary domain in the Control Console, the user will be created.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    3. Nov 1, 2013 11:51 AM (in response to PhilM)
    Re: AD/LDAP integration - Best Practice

    Phil,

     

    In your example, it will be the former. Domain alias accounts are automatically inherited from the primary username, so they don't neccisarily require a proxyAddresses entry, although one is recommended for congruency between the two systems (and so the mailbox can receive on both the alias and primary domains).


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    5. Nov 1, 2013 12:14 PM (in response to PhilM)
    Re: AD/LDAP integration - Best Practice

    Phil,

     

    As long as the message passes the filtering layers, McAfee will attempt to deliver the message, and assuming the recipient server is configured to bounce invalid errors intransit, we will issue an NDR based on the error we recieve.

     

    The SaaS product can do something similar, assuming the User Creation mode is set to Explicit and configured to Deny or Silently Discard the message. But that will not prevent situations where the user has a domain alias entry that is automatically inherieted but the backend server is not configured to actually receive mail. The action taken will be what is described above.

     

    The rule of thumb I recommend using when determining if the domain should be an alias or a primary (with the neccisary accounts cross-linked), is that if MOST of the users will receive email on both domains, then go with alias. If only a handful will, then it's best to treat the domain as a primary to prevent the situation I described above.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points