Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
20
Helpful
5
Replies

Firepower user agent for Active Directory

david.campeau
Level 1
Level 1

‎02-13-2018 12:38 PM - edited ‎02-21-2020 07:20 AM

I'm in process of learning and implementing the user agent solution for AD dealing with Firepower Identity management. 

 

Reading in the directions, the user agent can handle 5 Domain Controllers. My environment has no less than 8 DC's. Will I have to spin up 2 separate servers? Or can I install multiple agents on 1 OS instance?

 

Thanks,

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-14-2018 07:34 AM - edited ‎02-14-2018 07:35 AM

There's no need to spin up any new servers. The agent is pretty lightweight.

 

Just run an instance on on DC #1 with the local plus 4 remote DCs being polled = 5 DCs.

 

Then a second instance on DC #6 with the local plus the other two remote DCs = 3 DCs.

 

 

david.campeau
Level 1
Level 1
In response to Marvin Rhoads

‎02-14-2018 07:47 AM

So, you are just recommending installing directly on the DC's?

 

I was going through the documentation and read this .... "For security reasons, we recommend you install the user agent on a domain computer and not on the Active Directory server computer."

 

Considering we are in the security business, I was going to spin up a couple of VM's.  I'll look into what those risks might be and perhaps these risks can be acceptable. 

 

Thank you very much for your input as I will be looking at all the options. 

 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to david.campeau

‎02-14-2018 07:55 AM

I've always installed them either on a DC (80% of the time or more) or other existing server. I have never asked a customer to spin a whole server just to run this one little program.

 

I'm not sure what the rationale for saying a program that queries the server event log for user logon/logoff events and stores them in a small database ads security risk when installed on the DC it queries.

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎02-14-2018 08:03 AM

To add to what Marvin mentioned, I have also installed it on the DC before with no issues per se. One thing that I would consider is the load on the DC that you are installing this on. If you install this on your most loaded DC and then talk to 5 more, that could have a detrimental effect depending on what load the DC takes in.

The second thing to consider is failover. Say the DC where there FUA is installed goes down for some reason. Users might fall back to another DC that is being managed by the same FUA. This would mean, you wont receive any logs from that FUA and subsequently the user login info is lost for the FMC.

For this reason, I try to install the FUA on every DC and only poll itself. This way, if one goes down, another DC and FUA takes over.

P.S: I did this for a 60 DC environment recently with no effect to any DC.

david.campeau
Level 1
Level 1
In response to Rahul Govindan

‎02-15-2018 06:43 AM

How would we or do we implement HA with the agents?  

 

Currently we do have HA for the FMC's, and if we decide to go the route of installing the agent on each DC, then I think we are covered.  However, in the event we have to stand up VM's with agents installed on them, what's the best path to take to implement HA with those agents? 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card