Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Information about AD Sync in Apex Central / Apex One as a Service

    • Updated:
    • 7 Oct 2021
    • Product/Version:
    • Apex Central All
    • Apex One as a Service
    • Platform:
Summary

In Apex Central and Apex One as a Service, admin can configure Active Directory connection settings via web console UI / Active Directory Synchronization tool.

This article explains how AD sync works.

Details
Public

Admin may configure AD connection settings to Domain Controller (i.e. DC mode) or Global Catalog (i.e. GC mode).

  • From the web console UI (Administration > Settings > Active Directory and Compliance Settings):

    Active Directory and Compliance Settings

  • From the AD sync tool:

    AD sync tool

Sync scope

DC ModeGC Mode
Trusted ForestSingle Forest

Use case

DC ModeGC Mode
Suitable for most environmentUsed when admin only wants to sync specific AD forest from multiple cross-trusted AD forests
 
When using GC mode to sync AD, Apex Central / Apex One as a Service not support using AD Group (type: Domain Local / Global) to logon web console. AD Group (type: Universal) and AD user are still supported in GC mode.
 

Prerequisites:

  • Admin need to install and configure Microsoft Active Directory Certificate Services (ADCS) on domain controller (reference).
  • To use SSL connection, please ensure that the Windows endpoint where AD sync tool is running (for SaaS) or the Apex Central server (for on-premise) is joined to the Active Directory domain or imported the Active Directory Certificate.

Steps:

  1. Use Microsoft Management Console (MMC) to export the Active Directory Certificate as a .cer file from any domain-joined computer or server.
  2. Use Microsoft Management Console (MMC) to import the Active Directory Certificate to the Windows endpoint with AD sync tool (for SaaS) or the Apex Central server (for on-premise).
  3. Configure SSL for Active Directory connection.

    • SaaS (AD sync tool)

      Configure SSL for AD connection on SaaS

    • On-premise (web console UI > Administration > Settings > Active Directory and Compliance Settings)

      Configure SSL for AD connection on On-premise

  4. Perform AD sync.

    Ports used for LDAP/GC connection with SSL/non-SSL:

     LDAPGC
    Non-SSLTCP 389TCP 3268
    SSLTCP 636TCP 3269
ScenarioDC ModeGC Mode
Sync an AD domain or an AD forestAdd an AD domain setting
DC Add an AD domain setting
Add an AD domain setting
GC Add an AD domain setting
Sync multiple AD forests with cross-forest trustAdd an AD domain setting
DC Trust Domain
Add an AD domain setting of each forest
GC Trust Domain
Sync multiple AD forests without forest trustAdd an AD domain setting of each forest
DC Non-Trust Domain
Add an AD domain setting of each forest
GC Non-Trust Domain

For more details on what data the AD tool synchronizes, refer to the KB article: Data synchronized by the AD Sync Tool.

 

Sync specified Organizational Units (OU) from AD

  • Since Apex One as a Service September 2019 Update / Apex Central on premise HF build 3964, it's supported to sync only specified OUs from AD.
  • For the configuration details:

    • On-premise: Refer to %Apex Central installation folder%\ADSyncOUList.config
    • In SaaS environment (i.e. AD sycnc tool), it's %Apex_Central_ADSyncAgent_folder%\ADSyncOUList.config
 
Premium
Internal
Partner
Rating:
Category:
Configure; SPEC
Solution Id:
000283058
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.