Click an item to jump directly to that section.
The Active Directory Login Monitor is a small piece of software that is installed on all of your Domain controllers (2003, 2008 and 2012). The Login Monitor detects when users logon to your domain and sends that information to the NGFW appliances to be used in reporting and grouping.
IMPORTANT: The Login Monitor will need to be running on all domain controllers that are on the network to “catch” the authentications from those Servers.
The Active Directory Login Monitor can be downloaded here. http://download.untangle.com/UntangleActiveDirectoryMonitorSetup.exe
Next Generation Firewall
After installation you will be prompted with the configuration settings. The NGFW IP will need to entered in for the logins to be sent to those devices.
This is a secret key that is used when sending logins to the NGFW server. This allows the server to only trust logins that provide the correct Secret Key.
NOTE: If you are using HTTPS Prefix this field is required.
This will be the IP of your NGFW server.
Exempt IP Addresses
During the setup process IP exemptions should entered for network nodes that you do not want to see logins from. These are generally Terminal servers, Batch file logins and servers.
Exempt users section is used to exempt users that you do not want to see logins from. These are generally SQL server logins, batch file logins etc that are used to run programs/ installations on workstations.
User Notification API Testing
Directory Connector utilizes a web API to allow devices and servers to tell the NGFW that a user has logged in on a specific IP address. A complete guide for how to use the API for testing can be found here:
Additionally, you can test that the Login monitor is able to access the API using a built-in Test button.
Kerberos and other Active Directory Settings
*Manually enabling Kerberos Auditing/Authentication only needs to be done on Windows Server 2008 and above.
**Due to some Windows Server 2008 and 2008 SBS not having an Advanced Auditing section these servers cannot be used unless you are able to push a group policy from a 2008 R2 or above server that has the option on the domain.
Audit Kerberos Authentication needs to be enabled on the domain controller that Directory Login Monitor runs on. This is done by enabling it in the “Local Security Policy”. By default this is generally enabled. Due to configuration changes that are made during the running of Windows servers it may not be enabled.
Server 2008 R2
- Open the Local Security Policy. On Server 2008 this can be done by clicking Start and typing in Local security policy and selecting it in the Start Menu.
- After Local Security Policy is open expand Advanced Audit Policy Configuration> System Audit Policies- Local Group Policy Object > Account Logon
- Under the Local Security Setting tab, Audit these attempts check the Success check box.
Server 2012 R2
Due to the variety of possible changes that directly impact Login Monitor in this version, we have created a separate article for it.
Other Settings to check
There are other settings that exist on Windows Server that can have an effect on Directory Connector and Login Monitor. Below is a link from Microsoft's Technet that details these settings and how to check them.