This site is for Avast Business products only. For articles on AVG Business products, see AVG Business Help. If you are in the right place but cannot find what you are looking for, please contact Avast Business Support for further assistance.

Configuring LDAP

This Article Applies to:

  • Avast Business CloudCare

IMPORTANT: ESS and ShadowProtect have been officially retired. If you have not yet moved away from these services, please do so immediately to avoid encountering any disruption once they are completely turned off. For more information on CloudCare services discontinuation, see CloudCare Services EoL.

 

LDAP sync in Email Security Services offers increased liability and powerful features like filtering and scheduling.

Create credentials in the ESS Portal

These credentials will allow the AD Sync Agent to connect to Email Security Services and synchronize users.

  1. Under the All Users tab, click LDAP Setup in the left-hand navigation pane
  2. Click Create Credentials
  3. Click Download AD Sync Agent

Install and configure AD Sync Agent

Active Directory synchronization allows administrators to implement a service that maps users and groups from the Active Directory to Email Security Services.

Before you can set up synchronization, you need .NET Framework 4.5.1 on the computer where you will run the Sophos Cloud Active Directory Synchronization Utility.

To synchronize with Active Directory, you need to download and install the Active Directory Sync utility. The utility works as follows:

  • It supports only the Active Directory service
  • It synchronizes active users and groups containing at least one active user
  • It supports automated, one-way synchronization from the Active Directory to Email Security Services. It does not synchronize changes in Email Security Services to Active Directory
  • It can run automatically on a regular basis, as set up by the Email Security Services administrator
  • It doesn't duplicate existing users when an existing Email Security Services user is matched to an Active Directory user. If a match is found, then the existing user is updated with any new or changed information. For example, an email address from Active Directory may be added to an existing user in the Email Security Services portal
  • It can synchronize multiple Active Directory forests. To do this, you need to install the utility on multiple machines and configure each utility to synchronize a different AD forest. We strongly recommend synchronizing different AD forests at different times of day, so that the synchronizations do not overlap

AD Sync setup

  1. Click Next to begin setup
  1. Configure the AD Sync Agent to connect to Email Security Services
    • Copy your Email Security Services Credentials (API Key and Secret Key) from the LDAP 2.0 setup in Email Security Services into the fields shown below and click Next
  1. Configure the Agent to connect to your Active Directory Server
    • On the AD Configuration below, specify your Active Directory LDAP server and credentials for a user account that has read access to the entire Active Directory forest with which you want to synchronize
    • To stay secure, use an account with the least rights that will give this access
    • It is recommended that you use a secure LDAP connection, encrypted via SSL, and leave the Use LDAP over an SSL connection checkbox selected. If, however, your LDAP environment doesn’t support SSL, clear the Use LDAP over an SSL connection checkbox and change the port number accordingly. Usually, the port number is 636 for SSL connections and 389 for insecure connections
  1. Select which domains to sync
    • You can include all domains
    • You can select specific domains within the forest to sync
  1. Configure filters
    • If you don’t want to synchronize the entire forest, on the AD Filters page, you can specify which domains to include in the synchronization. You can also specify additional search options—search bases and LDAP query filters—for each domain. Distinct options can be specified for users and groups
    • AD Sync will only create groups that have members that include discovered users, regardless of group filter settings.

Search bases

You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format: OU=Finance,DC=myCompany,DC=com

LDAP query filters

To filter users, for example, by group membership, you can define a user query filter in this format: memberOf=CN=testGroup,DC=myCompany,DC=com

  1. Configure Schedule
    • Selecting Never sets up a manual sync only
    • Any other schedule option will run according to the set interval below
    • Click Finished

The sync will begin after you click finished. You can view your synchronization status in the Email Security Services UI under LDAP Setup:

Other Articles In This Section:

Email Security Services Overview

User Management

Configuring Unfiltered Users

Setting Up Anti-Spam

SMTP Authentication in Anti-Spam

Setting Up ESS With Office 365

Rate Limiting

Closing Email Security Services Account

Related Articles:

Secure Internet Gateway (SIG) Overview

ShadowProtect Overview

Cloud Backup Overview