Installation guide

Deployment Integration

A-5

Catalog is handy when creating IWSVA LDAP policies for a parent group with

user(s)/group(s) member(s) residing on remote domains that are part of many

subdomain levels.

To use this feature, the IWSVA administrator should configure the main LDAP server

that IWSVA uses from the Web console Administrator > Configuration > User

Identification page to communicate with a designated Global Catalog-enabled Active

Directory server using port 3268, instead of using the default LDAP communication

port 389.

Note: Global Catalog is only available in Microsoft Active Directory. The advantage of using

the Global Catalog port includes better performance for LDAP object lookup, and

allows object lookup that resides in many sublevels of the Active Directory tree

(beyond three). However, in order for IWSVA to utilize the Global Catalog, the AD

being requested for an object needs to have the Global Catalog enabled along with the

AD where the queried user or group objects reside. IWSVA supports the use of the

Global Catalog port only to be configured as the main LDAP server, and not part of

the IWSVA referral chasing servers.

Tip: Trend Micro recommends allowing IWSVA to query the root Active Directory server

with the Global Catalog enabled, and using Universal group types to do group nesting

when applying policies. This can be seen by the Global Catalog and will be visible

throughout the Active Directory. For more information, see Microsoft support

(http://support.microsoft.com/kb/231273).