Supported Servers for Realms

You can configure realms to connect to the following types of servers, providing they have TCP/IP access from the Cisco Defense Orchestrator:

Server Type

Supported for ISE/ISE-PIC data retrieval?

Supported for TS Agent data retrieval?

Supported for captive portal data retrieval?

Microsoft Active Directory on Windows Server 2012, 2016, and 2019

Yes

Yes

Yes

OpenLDAP on Linux

No

No

Yes

Note

If the TS Agent is installed on a Microsoft Active Directory Windows Server shared with another passive authentication identity source (ISE/ISE-PIC), the CDO prioritizes the TS Agent data. If the TS Agent and a passive identity source report activity by the same IP address, only the TS Agent data is logged to the CDO.

Note the following about your server group configurations:

  • To perform user control on user groups or on users in groups, you must configure user groups on the LDAP or Active Directory server.

  • Group names cannot start with S- because it is used internally by LDAP.

    Neither group names nor organizational unit names can contain special characters like asterisk (*), equals (=), or backslash (\); otherwise, users in those groups or organizational units are not downloaded and are not available for identity policies.

  • To configure an Active Directory realm that includes or excludes users who are members of a sub-group on your server, note that Microsoft recommends that Active Directory has no more than 5000 users per group in Windows Server 2012. For more information, see Active Directory Maximum Limits—Scalability on MSDN.

    If necessary, you can modify your Active Directory server configuration to increase this default limit and accommodate more users.

  • To uniquely identify the users reported by a server in your Remote Desktop Services environment, you must configure the Cisco Terminal Services (TS) Agent. When installed and configured, the TS Agent assigns unique ports to individual users so the system can uniquely identify those users. (Microsoft changed the name Terminal Services to Remote Desktop Services.)

    For more information about the TS Agent, see the Cisco Terminal Services (TS) Agent Guide.