At Proofpoint Essentials we continue to recommend Microsoft Active Directory (LDAP) as the preferred option for adding new customer accounts. This requires minimal on-going management as a setting can be made to automatically update every 24 hours ensuring accuracy.
Remind me what Active Directory (LDAP) is?
LDAP Discovery is the recommended method for provisioning users on the Proofpoint Essentials platform from Active Directory. It allows users, their email addresses and security groups to be imported directly from a client’s Microsoft Active Directory. It is a one way synchronisation for your protection and requires read only permission of Active Directory.
In addition, the Proofpoint Essentials service only supports the usage of Microsoft's Active Directory system.
What are some Active Directory requirements to use with Proofpoint Essentials?
- Microsoft Active Directory server
- Access to the server to manage the LDAP
- Ability to use the SIMPLE bind authentication
How can I configure Active Directory settings?
Log in with your management credentials then navigate as so: Company Settings > Import Users > Active Directory.
Note: Configuration of LDAP discovery requires a basic understanding of Active Directory and requires some minor firewall modifications: see http://support.proofpointessentials.com/index.php?/default_import/Knowledgebase/Article/View/88/0/setup-step-3-firewall-lockdown-options-for-email--ldap-discovery
The following settings should then be completed in order to successfully configure active directory (LDAP) as your selected method for provisioning new user accounts. Once this is complete active directory requires minimal additional management.
- Default New User Privileges: End User - User will get a welcome message and able to log in to the interface. Silent User - Will not receive a welcome message and unable to log into the interface. A welcome message contains the initial user's log-on information.
- Active Directory URL: Please specify a URL or IP address that Proofpoint Essentials can use to query the organization's Active Directory Server. Note: Please ensure that port 389 is open to Proofpoint Essentials for querying.
- Username & Password: These fields contain the username and password of the account Proofpoint Essentials should use to query the Active Directory service. We recommend an account created specifically for this task with Email disabled e.g. MDAcc and using a complex password.
- Base DN: This case sensitive field should contain the exact Base DN of the Active Directory forest. This is specific to the local site and contains a wide range e.g. mycompany.local which would be equal to DC=mycompany,DC=local
- Active Users?: Select this option to create new user accounts in Proofpoint Essentials for all email enabled user accounts that exist in the customer's local Active Directory but do not already exist in Proofpoint Essentials .
- Disabled User Accounts?: Select this option to disable user accounts in Proofpoint Essentials for all email enabled user accounts that exist in the customers local Active Directory which currently have a local status of Disabled.
- Functional Accounts?: Select this option to create new Functional Accounts in Proofpoint Essentials for all email enabled Distribution Lists / Security Groups / Public folders that exist in the customers local Active Directory which do not already exist in Proofpoint Essentials.
- Security Groups?: Select this option to create new Security Groups in Proofpoint Essentials for all non-email enabled Security Groups that exist in the customer’s local Active Directory which do not already exist in Proofpoint Essentials.
- Include items hidden from the GAL?: Option to include items hidden from the GAL(Global Access List)
- Add: Select this option to ensure all new Accounts & Groups in the LDAP query are returned and added to the Proofpoint Essentials platform under the managed organisation.
- Sync Updated Accounts: Select this option to ensure that all updated Accounts & Groups in the Active Directory query are returned and updated in the Proofpoint Essentials platform to stay synchronised with the actual current configuration at the customer site.
- Delete Removed Accounts: Selecting this important option ensures that you are only processing traffic for existing accounts and that you keep your licence account at an accurate level based on enabled Active Directory accounts only.
- Sync Every 24hrs: Select this option to set the Proofpoint Essentials User Configuration to a state of “Set & Forget”. This will mean that once per 24hrs the Proofpoint Essentials LDAP Discovery function will automatically query the customer’s active directory and reflect any changes in line with the settings configured above.
Note: SMTP Discovery will be disabled if LDAP 24 hour sync is enabled.