NOTE: This example setup is for reference use only. Security considerations for your server and company policy must be taken into consideration. This configuration is recommended for testing only and should not be deployed as is into a production environment.

Setting up an LDAP connection to Active Directory on the Symantec Gateway Security 1600/5000 Series Appliances.

A DNS record is required for the FQDN of the Active Directory Server
Adding a DNS host record for the FQDN of the Active Directory Server
· In the SGMI go to Assets > Network
· Choose the DNS tab
· Create a "New" DNS Host Record
Hostname: The FQDN of the Active Directory Server
Accessibility: Private
IP Address: The IP Address of the Active Directory Server
Caption: (Optional)

Adding the Authentication Server
· In the SGMI go to Assets > Authentication Servers.
· Choose the Authentication Servers Tab.
· Create a "New" Authentication Server, using LDAP by selecting New > LDAP

In the General tab, enter the following.
Name: A unique name for the server options
Check the option for SSL-based
Primary Server: Enter the FQDN of the Active Directory Server
Primary server port: 389
Alternate server: Optional - Enter the FQDN of an additional Active Directory Server
Alternate server port: 389



The "Search Parameters" tab
Base DN (search root): In the example below, the AD Domain is 2kad.local. The format is CN=Users,DC=Domain,DC=RootDomain
Group membership information used in queries: Select "User DN"





The "Schema" Tab
Uncheck the option "Use standard LDAPv3 person class"
User object class: user
User ID attribute: sAMAccountName
Group object class: group
Primary group attribute: cn
Group member attribute: Member




The "Bind" tab
Check the option, "Authenticate to the server using Distinguished Name (DN) and password”
Server authentication DN:
cn=%adminaccount%", cn=users, dc=%Domain%, dc=%RootDomain%
-- In the example below, the account is "administrator", the domain is 2kad.local


Click on "OK" to finish entering in the LDAP connection to the authentication server.

Save and activate the changes to the firewall.


Setting up the Scheme
In order to use the authentication for rules and VPN traffic, create the Scheme with the name of "dynamic", select the authentication server we setup in the previous steps.
Scheme name: dynamic
Check the option to "Reuse HTTP passwords"
Check the options for your server we setup in the previous steps, for both Authentication and Group Information.