Connecting Access Anywhere to Active Directory

Access Anywhere can support a delegated authentication model in which users’ credentials are validated not by Access Anywhere but by an external authentication system such as SAML or Active Directory (AD). The Access Anywhere offers two ways to connect to Active Directory. One way is to communicate directly with the AD server using LDAP (Lightweight Directory Access Protocol). The other is to use a proxy program, Active Directory Proxy (AD Proxy), provided by Access Anywhere. When the proxy program is used Access Anywhere speaks to the proxy and the proxy speaks to the AD server.

Allowing Access Anywhere to connect directly to the AD server using LDAP requires that the AD server be visible to Access Anywhere over a network. If both Access Anywhere and the AD server are running behind the customer’s firewall, this arrangement doesn’t present any special security challenges. If, however, Access Anywhere Appliance is running in a third party data centre, as is the case for SME’s IaaS customers, then the AD server will have to be accessible to Access Anywhere over the public internet. To secure this kind of connection customers may choose to use either a firewall to filter traffic by IP address or a virtual private network (VPN) to provide a private network tunnel between Access Anywhere Appliance and the AD server. Additionally they will almost certainly want to use either TLS or LDAPS, both of which are supported by Access Anywhere, to encrypt the traffic.

When AD Proxy is used instead of a direct connection there is no need to expose the AD server over a network; only the proxy needs to be exposed. The proxy need not run on the AD host. Traffic between AD Proxy and Access Anywhere Appliance is automatically encrypted using symmetrical encryption keys.

Although both connectivity options - direct connection with LDAP and AD Proxy - allow NAA to use AD for authentication, direct LDAP provides richer functionality than does AD Proxy. When a direct connection with LDAP is used, the mapping between users and their NAA roles is updated automatically when the users’ AD group assignments change, and AD users can be auto-provisioned on SME. Neither of these features is available when AD Proxy is used. Also, the configuration for a direct LDAP connection includes provisions for AD high availability; the AD Proxy configuration does not.

Organisations that are implementing AD authentication with Access Anywhere should weigh the simplicity of the AD Proxy’s network security model versus the functional advantages of the direct LDAP connection when deciding which method of integration to pursue.