Passive identity agent roles

The passive identity agent supports the following roles:

• Standalone: A passive identity agent that is not part of a redundant pair. A standalone agent can download users and groups from multiple Active Directory servers and domain controllers, provided the software is installed on all of them.

• Primary: (Primary agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.

  Handles all communication with the Secure Firewall Management Center unless it stops communicating, in which case communication is handled by secondary agents.

• Secondary: (Secondary, or backup, agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.

  Monitors the health of the primary agent and takes over if the primary agent stops communicating with the Secure Firewall Management Center.

Passive identity agent system requirements

The passive identity agent requires the following:

• If you install it on a Windows Active Directory server, the server must run Windows Server 2008 or later.

• If you install it on a Windows client attached to the domain, the client must run Windows 8 or later.

• The system clock on all systems must be synchronized. We strongly recommend using the same NTP servers on all of them. This means:

  • The Secure Firewall Management Center.

    For more information, see Time Synchronization.

  • All Windows Active Directory servers and domain controllers.

  • The machine on which the passive identity agent is installed.

• Secure Firewall Management Center must run 7.6 or later.

• Any Secure Firewall Threat Defense managed by the Secure Firewall Management Center must run 7.0.x or later.

• You must enable Snort 3 on the Secure Firewall Threat Defense devices.

Passive identity agent limitations

The passive identity agent the following limitations:

• Up to 10 agents simultaneously

• One passive identity agent identity source can monitor up to 50 AD directories

• Up to 300,000 concurrent user sessions

• IPv6 addresses are not supported

Deploy the passive identity agent

For information about deployment options, see Deploy the Passive Identity Agent.

Types of agents

You can configure the following types of agents on the Microsoft AD directory server, domain controller, or on any client connected to the domain:

• Standalone agent: One agent that can monitor one or several Active Directory domain controllers in the same domain.

• Primary agent and secondary agent that can monitor one or several AD domain controllers in the same domain: To provide redundancy, you can install a primary and secondary agent on different machines. The primary is responsible for communicating with the Secure Firewall Management Center but if communication fails, the secondary agent takes over.

See one of the following topics for more information.

Deployments

A standalone passive identity agent is represented as follows.

A primary-secondary pair is represented as follows.

The following table explains the meaning of the indicators.

Status indicators and colors

The passive identity agent indicates status using lines (that indicate whether communication with the Secure Firewall Management Center is active or standby) and colors (that indicate whether or not communication is successful).

The following table shows the meanings of lines and colors:

By default, the passive identity agent is configured to communicate with the Firepower System over the internet using HTTPS on port 443/tcp (HTTPS). If you do not want the passive identity agent to have direct access to the internet, you can configure a proxy server.

The following information informs you of the ports the passive identity agent use to communicate with each other, with the Secure Firewall Management Center , and with Microsoft Active Directory.