User-ID: Tie users and groups to security policies

Authentication events to capture user identity.

User-ID can be configured to monitor authentication events for Microsoft Active Directory, Microsoft Exchange and Novell eDirectory environments. Monitoring of the authentication events on a network allows User-ID to associate a user with the IP address of the device the user logs in from to enforce policy on the firewall.

• Microsoft Exchange Server: User-ID can be configured to constantly monitor the Microsoft Exchange logon events produced by clients accessing their email. Using this technique, even MAC OS X, Apple iOS, Linux/UNIX client systems that don't directly authenticate to Microsoft Active Directory can be discovered and identified.
• Novell eDirectory: User-ID can query and monitor logon information to identify users and group memberships via standard LDAP queries on the Novell eDirectory servers.
• Microsoft Active Directory: User-ID constantly monitors domain controller event logs to identify users when they log onto the domain.  When a user logs onto the Windows domain, a new authentication event is recorded on the corresponding Windows Domain Controller. By remotely monitoring the authentication events on Windows Domain Controllers, User-ID can recognize those authentication events to identify users on the network for creation and enforcement of policy.

Directory integration to capture group membership information

To allow customers to specify security rules based on user groups and resolve the group members automatically, User-ID integrates with nearly every directory server including Microsoft Active Directory, using a standards based LDAP protocol and a flexible configuration. Once configured, the firewall automatically retrieves user and user group information and keeps the information updated to automatically adjust to changes in the user base or organization.

User authentication events captures non-Windows domain users.

This technique allows organizations to configure a challenge-response authentication sequence to collect user and IP address information.

• Captive portal: In cases where administrators need to establish rules under which users are required to authenticate to the firewall prior to accessing the internet, a captive portal can be deployed. Captive portal is used in cases where the user cannot be identified using other mechanisms. In addition to an explicit username and password prompt, captive portal can also be configured to send an NTLM authentication request to the web browser in order to make the authentication process transparent to the user.
• GlobalProtect: Remote users logging into the network with GlobalProtect will provide user and host information to the firewall that in turn, can be used for policy control.

Terminal services integration.

In environments were the user identity is obfuscated by Citrix XenApp or Microsoft terminal Services, the User-ID Terminal Services Agent can be deployed to determine which applications users are accessing. Users sharing IP addresses working on Microsoft Windows Terminal Services or Citrix can be identified. Completely transparent to the user, every user session is assigned a certain port range on the server, which allows the firewall to associate network connections with users and groups sharing one host on the network.

Client and host probing catures Windows user information.

These techniques allow organizations to configure User-ID to monitor Windows clients or hosts to collect the indentiy and map it to the IP address.

• Client probing: If a user cannot be identified via monitoring authentication events, User-ID actively probes Microsoft Windows clients on the network for information on the currently logged on user. Using this mechanism, laptop users who often switch from wired to wireless networks can be reliably identified.
• Host probing: User-ID can also be configured to probe Microsoft Windows servers for active network sessions of a user. As soon as a user accesses a network share on the server, User-ID identifies the origin IP address and maps it to the user name provided to establish the session.