Applies To:

Show Versions Show Versions

Manual Chapter: FirePass Controller version 5.4 Handbook: Using Groups with FirePass Controllers
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


5

Using Groups with FirePass Controllers


Overview of FirePass controller groups

FirePass controller groups provide a great deal of flexibility and power. You can configure your users and groups externally (using an LDAP server, or active directory, for example) and import these users and groups into FirePass controller, creating groups based on your external definitions. You can even configure FirePass controller to dynamically update its group membership when you make changes to your external groups.

FirePass controller allows you to create two types of groups: master groups, and resource groups. Master groups contain user information, including details about authentication methods. Resource groups contain information about applications (resources) that are available to FirePass controller users.

Master groups

FirePass controller master groups give you a way to organize the FirePass controller users in logical groupings. Master groups contain user information including authentication and signup template information, security policies, and user experience customization. Master groups may also include links to resource groups. Every FirePass controller user must be assigned to one, and only one, master group. For more information, see Understanding master groups .

Resource groups

FirePass controller resource groups contain information about accessing user applications, including webifyer and adapter configuration information (the favorites appearing on the FirePass controller webtop). Resource groups may be linked to master groups, and to user accounts. Users can be assigned to none, one, or multiple resource groups. For more information, see Understanding resource groups .

Understanding master groups

FirePass controller master groups are composed of users, authentication methods, and security and policy information. Master groups are powerful because they allow the FirePass controller administrator to group sets of users together based on common conditions.

If you have groups external to the FirePass controller (for example, Windows Domain users), you can map these groups to FirePass controller groups that you associate with the external groups. For example, if your network is organized by department, you can import the organization into FirePass controller and create master groups that map to the network organization. In this case, you do not have to manually add each user to their master group. The FirePass controller can issue a query to get user information, and use this to assign each user to a master group.

Note

Each FirePass controller user must be assigned to a master group.

Working with master groups

The FirePass controller has a default master group called Default. You can use this default master group without creating any other master groups, or you can create your own master groups to use instead of, or along with, the default group. You cannot delete the default master group.

You can manually add users to the default master group or to any master groups you create. You can also import users from an external source, or configure the FirePass controller to dynamically assign users to the appropriate master groups based on an external source, as the users log into FirePass controller, using dynamic group mapping.

When working with master groups, you use the Master Groups screens, starting with the Master Groups list screen. This screen lists all the master groups, including the default master group. For more information about the Master Groups screen, see Using the Master Groups list screen . Use the following procedure to access the Master Groups list screen. Once you are on the Master Groups list screen, you can navigate to any screen you need for managing your master groups.

To access the Master Groups list screen

  1. Connect to the FirePass controller Administrative Console using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Users.
    The Manage Users screen displays.
  4. Expand Groups.
    The Master Groups list screen displays.

Using the Master Groups list screen

The Master Groups list screen displays all the master groups, along with some configuration information. Sort the list of master groups by group name or authentication method by clicking the Group Name or Authentication column heading.

Using the Master Groups list screen, you can create a new master group, access and configure master groups in several ways, and delete master groups. From the Master Groups list screen, you can:

  • Create a new master group. To create a new master group, click the Create new group button in the upper right. For details on creating master groups, see Creating master groups .
  • Configure a master group. To configure a master group, click the group name, or any of the options in the Authentication, Resource Groups, Signup Template, or Far-end Policy columns. For details on configuring master groups, see Configuring a master group .
  • View the users assigned to the group. To see the assigned users, click Show.
  • Move the assigned users to a different master group. To move users from one master group to a different master group, click Move.
  • Delete a master group. To delete a master group, click Delete. The FirePass controller prompts you for a master group to reassign the users to. You can choose to delete the users instead of reassigning them when you delete a master group.

Understanding entries in the Master Groups list

The columns of the Master Groups list screen provide information about each master group. Click a column entry to open the tabbed Master Group configuration screen or a user or group management screen.

  • The Group Name column lists the name of each group. Click a group name to open the Master Group configuration screen with the General tab selected.
  • The Authentication column lists the type of authentication the group uses. Click the authentication method to open the Master Group configuration screen with the Authentication Method tab selected.
  • The Resource Groups column lists how many resource groups are assigned to the master group, and whether dynamic resource assignment is enabled. Click the Resource Groups entry to open the Master Group configuration screen with the Resource Groups tab selected.
  • The Signup Template column shows whether signup templates are enabled (options are: N/A, No, and Yes). Click a No or Yes entry to open the Master Group configuration screen with the Sign-up Template tab selected.
  • The Far-end Policy column shows if a policy is enabled, and if Protected Workspace or Client Certificates are required. It also displays any policy restrictions. Click an entry to open the Master Group configuration screen with the Far-end Policy tab selected.
  • The Users column allows you to display the users in the group, or move users to other groups. Click Show to view users in a group. Click Move to move assigned users to a different master group.
  • Delete a group by clicking Delete at the end of a row.
Note

You cannot delete the Default master group.

Working with the Master Group configuration screen

You can access and configure master groups in several ways from the tabbed Master Group configuration screen.

  • You can configure:
    • How users and resources are assigned to the group (General tab)
    • What authentication method the group uses (Authentication tab)
    • What resource groups are assigned to the master group (Resource Groups tab)
    • Whether a sign-up template should be used (Sign-up Template tab)
    • What far-end policies (if any) the group uses (Far-End Policy tab)
    • The FirePass controller webtop appearance for users (User Experience tab)
    • For details on configuring master groups, see Configuring a master group .

  • You can switch to a different master group by selecting a group from the Group list box at the upper left. This is an easy way to change the master group you are configuring, without returning to the Master Groups list screen.
  • You can use the Back to group list link to return to the Master Groups list screen. (You can also return to the Master Groups list screen by clicking Master Groups in the navigation pane.)

Creating master groups

The FirePass controller includes a default master group, called Default. You do not need to create any additional FirePass controller master groups if you are using only the default master group. However, you can create your own master groups to use instead of, or along with, the default master group.

Use the Master Groups list screen to create a new master group.

To create a FirePass controller master group

  1. Navigate to the Master Groups list screen.
  2. Click the Create new group button in the upper right.
    The Group Management screen displays.
  3. In the New group name box, type the name of your group.
    Group names may be up to 16 characters in length and cannot include any spaces or non-alphanumeric characters.
  4. Using the Copy settings from list, select a master group to use as a template for webifyer settings. The new group copies all the webifyer settings from the existing group into the new group.
  5. Click Create to create the new master group.
    The group is created, and the Master Group configuration screen displays, with the General tab selected.

Configuring a master group

After creating a master group, the next step is to configure the group. Configuration options include how users and resources are assigned to the group, what authentication method the group uses, which resource groups are assigned to the master group, whether sign-up templates are used, what far-end policies are used, and what the FirePass controller webtop appearance will be for the group's users.

Configuring user and resource assignment

You can configure how users and resources (resource groups) are assigned to a master group. Users can be added manually, imported, or dynamically mapped from an external source. You can also dynamically map resources to a master group.

To configure user and resource assignment

  1. Navigate to the Master Groups list screen.
  2. Click the name of the master group you want to configure user and resource assignment for.
    The Master Group configuration screen displays.
  3. On the General tab, select the method for assigning users to the group:
    • manually or via user import - selected by default
    • using dynamic group mapping.
  4. Enable or disable dynamic resource assignment by selecting Enable or Disable. By default Enable is selected.
  5. Click Update to save the changes.

Changing the authentication method for a master group

The default FirePass controller authentication is Internal User Database Authentication. If this is not appropriate for your site, you can change the authentication method using the tabbed Master Group configuration screen.

To change the master group authentication method

  1. Navigate to the Master Groups list screen.
  2. Click the name of the master group you want to configure authentication for.
    The Master Group configuration screen displays, with the General tab selected by default.
  3. Click the Authentication tab.
    The Authentication Method screen displays.
  4. Click the Convert authentication method link.
    The screen refreshes to show a list of possible authentication methods.
  5. Select the authentication your site uses.
    A prompt asks if you are sure you want to convert the authentication scheme.
  6. Click the Continue button.
    The screen refreshes to show additional fields.
    The type of authentication you choose affects options on other tabs. For example, sign-up templates do not apply if you are using Internal User Database Authentication, VASCO DigiPass authentication, or Basic HTTP Authentication to External Server.
  7. Type the appropriate information in the fields and click Save Settings. For detailed help on input fields for each authentication type, click the Help button and click the link for the method you are using.
    For example, if you are using Windows Domain authentication, type your domain name in the Domain name box. You can add a primary domain controller server name in the PDC server name box if you are using a primary domain controller, and the IP address of your WINS server in the WINS server IP address box if you are using WINS. If you want the FirePass controller users to log on to the FirePass controller using the domain and user name, check the Require user logon in form DOMAIN\username box.
  8. If you are using external authentication, and you want to allow FirePass controller users to sign up using a template, click the Sign-up Template tab.
    The Signup Templates screen displays.
  9. Select the options you want to use, including what kind of display the user will see (FirePass Webtop, or Desktop Access), and click Update Template to update the information.

Assigning resource groups to a master group

You can assign resource groups to master groups. Any user that belongs to the master group will be assigned the resource groups. This allows you to automatically assign resources to all users in a master group.

To assign resource groups to the master group

  1. Navigate to the Master Groups list screen.
  2. Click the name of the master group you want to assign resources to.
    The Master Group configuration screen displays, with the General tab selected by default.
  3. Click the Resource Groups tab.
    The Resource Groups page displays.
  4. To assign a resource group to the master group:
    1. Select a resource group from the Available list, and click the Add button.
      The selected group is moved to the Selected list. Selected groups are automatically assigned to users in the master group.
    2. Click Update to update the list.
  5. By default, the group called Default_resource is assigned to each master group. If you want to remove this group, select the Default_resource group in the Selected list, and click the Remove button.
Note

You can remove all resource groups from the selected list. If you do this, the master group will have resource groups assigned only if you use dynamic group mapping. For more information, see Resource groups and group mapping .

Configuring far-end policies for a master group

You can configure client (far-end) security options to require certain conditions on the client workstation. Configure far-end policy options on the tabbed Master Group configuration screen.

To configure far-end policies

  1. Navigate to the Master Groups list screen.
  2. Click the name of the master group you want to configure far-end policies for.
    The Master Group configuration screen displays, with the General tab selected by default.
  3. Click the Far-End Policy tab.
    The Configure Far End Policy screen displays.
  4. Select the policy you want from the Select policy list.
     
Note

The options on the list depend on how you configure far-end security on the Device Management : Security : Far End Security screen.
  1. From the Select policy list, select the policy you want for the master group. The default is to not apply any far-end policies to the group. Each choice refreshes the screen and displays additional configuration options.
    1. If you want to require a workstation to have a client certificate in order for a user to log into the FirePass controller, select Client Certificate is required for user login. With this option selected, you can also require that the user's login name match the common name on the certificate. To require this, select the Login username must match certificate common name box.
    2. If you want to limit access to certain webifyers by client certificate, select Client Certificate is required for access to select webifyers. With this option selected, you can require that the user's login name match the common name on the certificate. To require this, select the Login username must match certificate common name box.
      Select the webifyers that require a client certificate for access.
    3. If you want to require Protected Workspace in order for a user to log into the FirePass controller, select the Protected Workspace is required for user login option.
      Protected Workspace is workspace created at log on, specifically for the FirePass controller session. It is available only during the session, and when the client logs off, the Protected Workspace is deleted, along with any files downloaded during the session.
    4. If you want to require Protected Workspace in order for a user to access specific webifyers, select the Protected Workspace is required for access to select webifyers option.
      With this option, select the webifyers that require a client certificate for access.

Configuring the user experience for a master group

You can customize the desktop display for all the users in a master group by configuring User Experience options on the User Experience screen.

To configure user experience options

  1. Navigate to the Master Groups list screen.
  2. Click the name of the master group you want to configure user experience for.
    The Master Group configuration screen displays, with the General tab selected.
  3. Click the User Experience tab
    The User Experience screen displays.
  4. To allow users to change user information, select the Allow user to change user information box.
  5. If you want to suppress the display of a logo and banner on the webtop, select the FirePass Webtop doesn't show logo and banner by default box.
  6. You can choose one of three options for how webifyer icons and favorites appear on the webtop:
    • Show Favorites only, hide Webifyer icons
    • Show both Favorites and Webifyer icons
    • Show Webifyer icons only (classic look)
  7. To configure FirePass so that the most-used webifyers display at the top of the webifyer list, select the Enable user-level adaptive ordering of webifyers.
  8. Using the large table, select the webifyers you want to display on the desktop, and order them using the Initial Order column. (For assistance on this screen, click the Help button.)
  9. Click Update to update the master group configuration.

Understanding resource groups

FirePass controller resource groups contain configuration information about web applications, Windows files, UNIX files, App Tunnels, Legacy Hosts, X Windows, and Network Access. Resource groups allow you to preconfigure specific applications and access by group, and assign the group to a master group or an individual user. Multiple resource groups can be assigned to users through master groups, or directly assigned to the user accounts.

Note

If a resource group is linked to a master group, and the same resource group is assigned individually to a user, the individual assignment takes precedence. This means that, if you move the user to a different master group (one that does not have a link to the resource group), the user will retain the resource group as a result of the individual assignment.

Working with resource groups

FirePass controller has a default resource group called Default_resource. You can create your own resource groups to use instead of, or along with, the default group. You can manually assign a resource group to a master group. You can also configure the FirePass controller to dynamically assign resource groups to master groups based on an external source, as the users log into the FirePass controller.

When working with resource groups, you use the Resource Groups screens, starting with the Resource groups list screen. This screen lists all the resource groups, including the default group. For more information about the screen, see Using the Resource groups list screen . Use the following procedure to access the Resource groups list screen. Once you are on the Resource groups list screen, you can navigate to any screen you need for managing your resource groups.

To access the Resource groups list screen

  1. Connect to the FirePass controller Administrative Console using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Users.
    The Manage Users screen displays.
  4. Expand Groups.
    The Master Groups list screen displays.
  5. Click Resource Groups to display the Resource groups list screen.

Using the Resource groups list screen

The Resource groups list screen displays all the resource groups. Use the Resource groups list screen to create a new resource group, to edit a resource group configuration, or to delete an existing group.

  • To create a new group, click the Create new group button in the upper right. For details on creating a resource group, see Creating resource groups .
  • To edit a resource group configuration, click Edit or the name of a resource group.
  • To delete a resource group, click Delete.

When you click Edit or the name of a resource group on the Resource groups list screen, the Resource Group configuration screen for that group displays. Use the Resource Group configuration screen to configure resource groups with favorites.

Working with the Resource Group configuration screen

You can access and configure resource groups in several ways from the tabbed Resource Group configuration screen:

  • You can create and configure FirePass controller web application favorites for a resource group by clicking the tabs. Tabs include:
    • Web Applications
    • Windows Files
    • Unix Files
    • App Tunnels
    • Legacy Hosts
    • Terminal Servers
    • X Windows
    • Network Access
    • For details on configuring resource group favorites, see Configuring resource group favorites .

  • You can switch to a different resource group by selecting a group from the Resource Group list box. This is an easy way to switch from one resource group to another, without returning to the Resource groups list screen.
  • You can return to the Resource groups list screen by clicking the Back to group list link. (You can also return to the Resource groups list screen by clicking Resource Groups in the navigation pane.)

Creating resource groups

Create FirePass controller resource groups on the Users : Groups : Resource groups list screen. This screen lists all the resource groups, including the default resource group. For more information about the screen, see Using the Resource groups list screen .

To create a FirePass controller resource group

  1. Navigate to the Resource groups list screen.
  2. Click the Create new group button in the upper right.
    The Group Management screen displays.
  3. In the New group name box, type the name of your group.
    Group names may be up to 16 characters in length and must not include any spaces or non-alphanumeric characters.
  4. To create the new resource group, click Create.
    The group is created, and the resource group configuration screen displays, with the Web Applications tab selected.

Configuring resource group favorites

Once you have created resource groups, the next step is to configure favorites for the resource group. Any user to whom a resource group is assigned, automatically gets the configured favorites of that resource group. Favorites include web applications, Windows files, UNIX files, App Tunnels, Legacy Hosts,Terminal Servers, X Windows, and Network Access. You configure the favorites for resource groups based on which users will have the resource groups assigned to them.

Creating web application favorites

Web application favorites provide remote users with secure access to Web servers on your organization intranet.

To configure web application favorites

  1. Navigate to the Resource groups list screen.
  2. In the Resource groups list, click the name of the resource group you want to configure favorites for.
    The resource group configuration screen displays, with the Web Applications tab selected.
  3. On the Web Applications screen, click the Add New Favorite link to configure a web application.
    New fields display on the screen.
  4. In the Name box, type a name for the web application favorite.
  5. In the Url box, type the URL for the web application.
  6. Using the Url variables box, you can configure variables to be appended to the URL, or posted.
    For more information, including details on other screen options, Click the Help button.

Configuring Windows files favorites

Windows files favorites provide remote users with the ability to browse and view files stores on Windows servers on your LAN.

To configure Windows files favorites

  1. Navigate to the Resource groups list screen.
  2. Click the name of the resource group for which you want to configure favorites.
    The resource group configuration screen displays with the Web Applications tab selected.
  3. Click the Window Files tab to display the Windows Files Favorites screen.
  4. To configure a new Windows Files favorite, click Add New Favorite.
    The screen refreshes to display new fields.
  5. In the Name box, type a name for the Windows files favorite.
  6. In the Path box, type a path for the Windows files.
    • To substitute for the user's logon in the path, use %username%.
    • To substitute for the group name, use %group%.
    • For example

      \\server-name\%username%
Note

The FirePass controller does not verify the path you type.
  1. Click Add New to add the favorite.

Configuring UNIX files favorites

UNIX files favorites provide remote users with the ability to browse and view files stored on UNIX servers on your LAN.

To configure UNIX files favorites

  1. Navigate to the Resource groups list screen.
  2. Click the name of the resource group for which you want to configure favorites.
    The resource group configuration screen displays, with the Web Applications tab selected.
  3. Click the Unix Files tab to display the Unix Files Favorites screen.
  4. Click Add New Favorite to configure a new UNIX files favorite. New fields display.
  5. In the Name box, type a name for the UNIX files favorite.
  6. In the Path box, type a path to the files on the UNIX server.
Note

Be sure there are no trailing spaces in the path.
  1. Click Add New to add the favorite.

Configuring App Tunnels favorites

App Tunnels allow a remote FirePass controller user to access a TCP/IP client/server application on your LAN.

To configure App Tunnels favorites

  1. Navigate to the Resource groups list screen.
  2. Click the name of the resource group for which you want to configure favorites.
    The resource group configuration screen displays, with the Web Applications tab selected.
  3. Click the App Tunnels tab to display the App Tunnels Favorites screen.
  4. Click Add New Favorite to configure a new App Tunnels favorite. New fields display.
  5. In the Name box, type a name for the App Tunnel favorite.
  6. In the Add new box, select an application class from the list, and type the IP address or name for the remote server in the Remote Host box.
  7. Click Add New to add the App Tunnel favorite.

Configuring Legacy Host favorites

Legacy Host favorites provide remote FirePass controller users access to legacy applications on your organization's hosts.

To configure Legacy Host favorites

  1. Navigate to the Resource groups list screen.
  2. Click the name of the resource group for which you want to configure favorites.
    The resource group configuration screen displays with the Web Applications tab selected.
  3. Click the Legacy Hosts tab to display the Legacy Hosts Favorites screen.
  4. Click Add New Favorite to configure a new Legacy Hosts favorite. New fields display.
  5. In the Name box, type a name for the Legacy Hosts favorite.
  6. In the Host box, type the host name or IP address.
  7. In the Port box, specify the port number for the host.
  8. If you want the favorite to use SSH when accessing the host, select Use SSH.
  9. Select the appropriate terminal type from the Term-type list.
  10. Type a session name in the Session name box (if appropriate).
  11. Select the appropriate default character set from the Default charset list.
  12. Click Add New to add the Legacy Hosts favorite.

Configuring Terminal Server favorites

Terminal Server favorites give remote users access to PCs running Terminal services, Citrix MetaFrame servers, and VNC servers.

To configure Terminal Servers favorites

  1. Navigate to the Resource groups list screen.
  2. Click the name of the resource group for which you want to configure favorites.
    The resource group configuration screen displays, with the Web Applications tab selected.
  3. Click the Terminal Servers tab to display the Terminal Servers Favorites screen.
  4. Click Add New Favorite to configure a new Terminal Server favorite.
    New fields display.
  5. In the Name box, type a name for the Terminal Server favorite.
  6. In the Host box, type the host name or IP address of the computer running Terminal services. You can enter multiple names or IP addresses, separated by spaces.
  7. From the Port list, select a server type.
    A default port is automatically added to the Port box. Edit this port if necessary.
  8. In the Select a program box, type the complete path and program name for the program to be run on the remote server.
  9. In the Working Dir field, type a working directory on the server.
  10. To have the Terminal server application open in a separate window on the user's screen, check the Open in new window box.
  11. If you want users to have access to drives on the remote server, check the Allow access to local drives box.
  12. Click Add New to add the Terminal Server favorite.

Configuring X Windows favorites

X Windows favorites give FirePass controller users the ability to connect to applications using the X protocol on your network.

To configure X Windows favorites

  1. Navigate to the Resource groups list screen.
  2. Click the name of the resource group for which you want to configure favorites.
    The resource group configuration screen displays, with the Web Applications tab selected.
  3. Click the X Windows tab to display the X Windows Favorites screen.
  4. Click Add New Favorite to configure a new X Windows favorite.
    New fields display.
  5. In the Name box, type a name for the X Windows favorite.
  6. From the Screen Access list, select the appropriate option. If you are not sure, select Java Real Time.
  7. From the Terminal Type list, select the correct access method.
  8. In the Host field, type the host name or IP address.
  9. If you want the favorite to remember the user login and password, check the Remember Logon/Password box. Then type default login and password values in the Login/Password box.
  10. From the Xwindow Type list, select the correct X Window type.
  11. In the Custom command box, type the first command to be run from the host prompt after logon.
  12. Click Save to add the favorite.

Configuring Network Access favorites

Network Access favorites provide remote FirePass controller users with SSL VPN access to applications and network resources on your LAN.

To configure Network Access favorites

  1. Navigate to the Resource groups list screen.
  2. Click the name of the resource group for which you want to configure favorites.
    The resource group configuration screen displays, with the Web Applications tab selected.
  3. Click the Network Access tab to display the Network Access Favorites screen.
  4. For detailed information on how to configure Network Access, see Chapter 4, Configuring Network Access .

  5. When you are done, click Add New to add the Network Access favorite.

Understanding group mapping

You can configure the FirePass controller to dynamically assign users to a FirePass controller group at logon time. This FirePass controller feature can save you configuration time by eliminating the need for you to reconfigure the FirePass controller groups every time an external change occurs (for example, on an LDAP server). Dynamic group mapping updates FirePass controller groups as users are added, moved, or deleted.

How dynamic group mapping works

You can dynamically map both kinds of FirePass controller groups (master groups, and resource groups).

The process of dynamic group mapping takes place in three steps. When a user connects to the FirePass controller:

  1. The FirePass controller queries any external servers that are configured as mapping methods. The FirePass controller also gathers information from the client workstation if that information is available.
    For example, if LDAP is configured as a mapping method, the FirePass controller sends a query to the LDAP server, looking for the user. If client certification is required, the FirePass controller checks for a certificate on the client workstation. For more information on configuring mapping methods, see Configuring mapping methods .
  2. The FirePass controller compares the results of the query with each entry in the mapping table, looking for a match. For details on the mapping table, see Adding resources to the mapping table .
  3. The FirePass controller uses the first matching master group entry to map the master group to the user. All matching entries for resource groups are assigned to the user.

Master groups and group mapping

By default, master groups do not use any mapping. This means that you can assign users either manually, or by importing users from an external list.

When using dynamic group mapping, users' groups are determined at logon time, using one of several administrator-defined mapping methods.

You can designate dynamic mapping for a master group when you create the group, or at any time after the group has been created. For more information on how to create a master group, see Creating master groups . For details on dynamic mapping of master groups, see Configuring dynamic group mapping .

To configure an existing master group for dynamic group mapping

  1. Connect to the FirePass controller Administrative Console using a Web browser.
  2. To log in, type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Users.
    The Manage Users screen displays.
  4. Expand Groups.
    The Master Groups list screen displays.
  5. Click the name of the group you want to configure.
    The tabbed Master Group configuration screen displays, with the General tab selected.
  6. Under Assign users to this group, select using dynamic group mapping, and click the Update button to update the FirePass controller with the change.

To configure a new master group for dynamic group mapping

  1. Navigate to the Master Groups list screen.
  2. Click the Create new group button at the upper right.
    The Group Management screen displays.
  3. In the New group name box, type the name of the new master group.
  4. From the Copy settings from list, select the master group whose settings should be copied to the new group, and click the Create button to create the new group.
    The tabbed Master Group configuration screen for the master group displays.
  5. Under Assign users to this group, select using dynamic group mapping, and click the Update button to update the FirePass controller with the change.

Configuring dynamic group mapping

Dynamic group mapping can simplify FirePass controller user management by mapping FirePass controller groups to external groups at the point when a FirePass controller user logs in. The power of dynamic group mapping lies in the fact that you only have to make a change in your external source (LDAP or Windows Domain server, for example). If you dynamically map Windows Domain user groups to FirePass controller groups, you can move or delete users on the Windows Domain server, and the FirePass controller will update the FirePass controller groups dynamically.

You must configure several settings before you can use dynamic group mapping. The steps for configuring dynamic group mapping include:

  • Configure one or more mapping methods
  • Specify the request configuration
  • Add entries to the mapping table

In addition, if you are using LDAP mapping, you can optionally:

  • Configure the user information mapping

To navigate to the Dynamic Group Mapping screens

  1. Connect to the FirePass controller Administrative Console using a Web browser.
  2. Log in to the FirePass controller as administrator. Type your user name in the Username box, your password in the Password box, and click Go.
  3. On the navigation pane, click Users, expand Groups, and click Dynamic Group Mapping.

Configuring mapping methods

Group mapping methods determine how the dynamic mapping is accomplished. The FirePass controller supports dynamic mapping using several different methods. You can choose one or more of these mapping methods:

  • LDAP server query
    • User object
    • Group object
    • Filter
  • Windows Domain server query
  • Active Directory server query
  • RADIUS server query
  • Client certificates attributes
  • Landing URIs

To configure dynamic group mapping methods

  1. Navigate to the Dynamic Group Mapping screen.
    The Mapping Methods tab is selected.
  2. Select the method or methods you want to use for dynamic mapping.
  3. Click the Update button to update the FirePass controller with the selected mapping method(s).

Specifying the request configuration

The Request Configuration screen gives you a way to provide details for each configured mapping method.

To configure request configuration information

  1. Navigate to the Dynamic Group Mapping screen.
  2. Click the Request Configuration tab.
    The Request Configuration screen displays.
  3. From the Select method to configure request list, select the mapping method you want to configure.
  4. Click the Switch button to update the Request Configuration screen for the selected mapping method.
  5. Type the information for each of the mapping methods, and click the Update button to update the configuration.
    For details on request configuration parameters, see the online help.

Adding resources to the mapping table

The mapping table gives you an easy way to map external groups to FirePass controller groups. You can map both master groups and resource groups.

To configure the dynamic group mapping table

  1. Navigate to the Dynamic Group Mapping screen.
  2. Click the Mapping table tab.
    The Mapping table screen displays.
  3. From the Mapping Method list, select the mapping method you want to map, and click the Add button.
    A list of external groups displays. (If no external groups display, you may need to update your request configuration as described in Specifying the request configuration .)
  4. Select the FirePass controller groups you want to map to the external groups.
  5. Click the Add button to add the entries to the mapping table and map the FirePass controller group(s) to the external group(s).

Configuring user information mapping

If you are using an LDAP mapping method, you have the option to update the internal FirePass controller database using data returned by an LDAP query. Configure this on the User info mapping tab.

To configure user information mapping

  1. Navigate to the Dynamic Group Mapping screen.
  2. Click the User info mapping tab.
    The User info mapping screen displays.
  3. Type the attributes used by your LDAP server in the first name, last name, and email boxes.
  4. Click the Update button to update the user information mapping.

Resource groups and group mapping

Resource groups can be static, or they can be dynamically mapped. A resource group is considered a static resource group when it is explicitly assigned to a master group. You can assign a static resource group to a master group when you create the master group, or at any time after the group has been created.

A resource group is considered a dynamic resource group when it is dynamically assigned based on the mapping table. Dynamic resouce mapping (or dynamic resource assignment), can be configured so it is independent of a master group, by enabling dynamic resource assignment on the master group. For more information on creating resource groups, see Creating resource groups . For details on dynamic resource assignment, see Configuring dynamic group mapping .

To assign a static resource group to a master group

  1. Navigate to the Master Groups list screen.
  2. Click the name of the group to which you want to assign a static resource group.
    The tabbed Master Group configuration screen displays.
  3. Click the Resource Groups tab.
  4. From the Available list, select a resource group, and click the Add button to add the group to the Selected list. You can add as many resource groups as you want.
  5. When you are finished adding resource groups, click the Update button to assign the resource groups to the master group.
  6. Click Back to group list to return to the Master Groups list screen.
    The Resources column shows the number of static resource groups assigned to each master group, as well as indicating whether dynamic resource group mapping is enabled.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)