User Control with the Passive Identity Agent

The following topics discuss how to configure and use the passive identity agent.

The Passive Identity Agent Identity Source

The passive identity agent identity source sends session data from Microsoft Active Directory (AD) to the Cisco Security Cloud Control. All you need is a supported Microsoft AD setup as discussed in About Realms and Realm Sequences.


Note


You do not need to configure the Cisco Identity Services Engine (ISE) to use this identity source.


Passive identity agent roles

The passive identity agent supports the following roles:

  • Standalone: A passive identity agent that is not part of a redundant pair. A standalone agent can download users and groups from multiple Active Directory servers and domain controllers, provided the software is installed on all of them.

  • Primary: (Primary agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.

    Handles all communication with the Cloud-delivered Firewall Management Center unless it stops communicating, in which case communication is handled by secondary agents.

  • Secondary: (Secondary, or backup, agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.

    Monitors the health of the primary agent and takes over if the primary agent stops communicating with the Cloud-delivered Firewall Management Center.

Passive identity agent system requirements

The passive identity agent requires the following:

  • If you install it on a Windows Active Directory server, the server must run Windows Server 2008 or later.

  • If you install it on a Windows client attached to the domain, the client must run Windows 8 or later.

  • The system clock on all systems must be synchronized. We strongly recommend using the same NTP servers on all of them. This means:

    • The Security Cloud Control.

      For more information, see Configure NTP Server.

    • All Windows Active Directory servers and domain controllers.

    • The machine on which the passive identity agent is installed.

  • Security Cloud Control must run November 8, 2024 or later.

  • You must enable Snort 3 on the Secure Firewall Threat Defense devices.

Passive identity agent limitations

The passive identity agent the following limitations:

  • Up to 10 agents simultaneously

  • One passive identity agent identity source can monitor up to 50 AD directories

  • Up to 300,000 concurrent user sessions

  • IPv6 addresses are not supported

Deploy the passive identity agent

For information about deployment options, see Deploy the Passive Identity Agent.

Deploy the Passive Identity Agent

You can install the Passive Identity Agent software on any machine that is part of a Microsoft Active Directory (AD) domain you want to use for user awareness and control. In other words, you can install it on any of the following:

  • The Microsoft Active Directory server

  • A domain controller

  • A client connected to the network that is neither the directory server nor a domain controller

Any particular passive identity agent can monitor one or several Active Directory domain controllers in the same domain.

The machine on which the passive identity agent must communicate with the Cloud-delivered Firewall Management Center using the TLS/SSL protocol. For more information, see Internet Access Requirements for the Passive Identity Agent.

Types of agents

You can configure the following types of agents on the Microsoft AD directory server, domain controller, or on any client connected to the domain:

  • Standalone agent: One agent that can monitor one or several Active Directory domain controllers in the same domain.

  • Primary agent and secondary agent that can monitor one or several AD domain controllers in the same domain: To provide redundancy, you can install a primary and secondary agent on different machines. The primary is responsible for communicating with the Cloud-delivered Firewall Management Center but if communication fails, the secondary agent takes over.

See one of the following topics for more information.

Simple Passive Identity Agent Deployment

The following diagram shows the simplest passive identity agent deployment.

The simplest Passive Identity Agent is one standalone agent installed on the Active Directory domain controller. This agent sends user name and IP info to the firewall manager

In the preceding example, a standalone passive identity agent is installed on the AD domain controller. Users log in and out of the AD domain and the agent sends user name and IP address information to the Cloud-delivered Firewall Management Center. As users access the network, access control and identity policies deployed to the Secure Firewall Threat Defense determine whether or not, and how, access is allowed.

You can install a passive identity agent on the AD domain controller, directory server, or on any client connected to the domain you wish to monitor.

Single Passive Identity Agent Monitoring Multiple Domain Controllers

The following diagram shows a standalone passive identity agent that monitors several AD domain controllers.

One standalone passive identity agent can be installed on the Active Directory domain and send user IP address information to the firewall manager

In the preceding diagram, the standalone passive identity agent is installed on a client attached to the AD domain (or on the domain controller itself). Users log in to any domain controller and the agent sends user and IP address information to the Cloud-delivered Firewall Management Center. As users access the network, access control and identity policies deployed to the Secure Firewall Threat Defense determine whether or not, and how, access is allowed.

You can install a passive identity agent on the AD domain controller, directory server, or on any client connected to the domain you wish to monitor.

Multiple Passive Identity Agents Monitoring Multiple Domain Controllers

The following figure shows standalone monitoring multiple AD domain controllers:

  • In AD domain 1, a standalone passive identity agent installed on a machine attached to AD domain controller 1 sends user and IP address mapping data to the Cloud-delivered Firewall Management Center.

  • In AD domain 2, standalone agents installed on AD domain controllers 1 and 2 send user and IP address mapping data to the Cloud-delivered Firewall Management Center.

You can deploy several standalone passive identity agents to monitor multiple Active Directory networks and send user IP information to the firewall manager

You can install a passive identity agent on the AD domain controller, directory server, or on any client connected to the domain you wish to monitor.

The preceding figure shows three passive identity agents, each configured as a standalone. To do this:

  1. Create two Microsoft AD realms: one for each AD domain.

    See Create an LDAP Realm or an Active Directory Realm and Realm Directory.

  2. For AD domain 2, create two directories, one for each domain controller.

  3. Install the Passive Identity Agent software on a client that can log in to the domain.

    Configure each passive identity agent individually to communicate with the Cloud-delivered Firewall Management Center on which you configure the passive identity agent source.

    See Install the Passive Identity Agent Software.

  4. Create the passive identity agent identity source.

    See Create a Primary or Secondary Passive Identity Agent Identity Source.

Passive Identity Agent Primary/Secondary Agent Deployments

To provide redundancy and to avoid a single point of failure, you can configure primary and secondary passive identity agents in any of the ways shown in this topic.

You can install a passive identity agent on the AD domain controller, directory server, or on any client connected to the domain you wish to monitor.

Single AD domain controller with primary and secondary agents

The following figure shows how to set up primary and secondary passive identity agents on one AD domain controller. If the primary agent fails, the secondary takes over.

The advantage of using primary and secondary passive identity agents is that if the primary agent does not communicate with the Cloud-delivered Firewall Management Center for any reason, the secondary takes over. You can use any of the other types of deployments (in other words, primary/secondary agents monitoring one AD domain or multiple domains

To set this up:

  1. Create a Microsoft AD realm that has one directory for the domain controller.

    See Create an LDAP Realm or an Active Directory Realm and Realm Directory.

  2. Install the passive identity agent software on any two network machines connected to the domain controller.

    Configure each passive identity agent individually to communicate with the Cloud-delivered Firewall Management Center on which you configure the passive identity agent source.

    See Install the Passive Identity Agent Software.

  3. Create the identity source.

    See Create a Primary or Secondary Passive Identity Agent Identity Source.

Multiple AD domain controllers, primary and secondary agents

An example of primary and secondary agents installed on different AD domain controllers, all sending user IP information to the firewall manager

The preceding figure shows how to configure primary and secondary agents to monitor three AD domain controllers. If the primary agent fails, the secondary agent takes over.

To set this up:

  1. Create a Microsoft AD realm that has one directory for the domain controller.

    See Create an LDAP Realm or an Active Directory Realm and Realm Directory.

  2. Install the passive identity agent software on any machine connected to the domain controller.

    Configure each passive identity agent individually to communicate with the Cloud-delivered Firewall Management Center on which you configure the passive identity agent source.

    See Install the Passive Identity Agent Software.

  3. Create the identity source.

    See Create a Primary or Secondary Passive Identity Agent Identity Source.

How to Create a Passive Identity Agent Identity Source

The following provides high-level tasks required to configure the passive identity agent identity source in the Cloud-delivered Firewall Management Center and to deploy agent software to your Microsoft Active Directory (AD) servers.

Procedure

  Command or Action Purpose

Step 1

Create a realm for your Microsoft AD domain and domain controllers.

Realms are connections between the Cloud-delivered Firewall Management Center and the user accounts on the servers you monitor. They specify the connection settings and authentication filter settings for the server.

For more information, see Create an LDAP Realm or an Active Directory Realm and Realm Directory.

Step 2

Create a passive identity agent identity source.

The identity source allows the Cloud-delivered Firewall Management Center and passive identity agent to communicate with each other. Create standalone, primary, or secondary agents, depending on your needs.

For more information, see:

Step 3

Create a passive identity agent user on the Cloud-delivered Firewall Management Center.

We provide a role sufficient for the agent and manager to communicate with each other. We recommend using that role and no other for the passive identity agent user.

Step 4

Install the passive identity agent software.

The way you install the agent depends on your deployment.

You can install a passive identity agent on the AD domain controller, directory server, or on any client connected to the domain you wish to monitor.

For more information, see:

What to do next

Create an LDAP Realm or an Active Directory Realm and Realm Directory.

Configure the Passive Identity Agent

The following topics discuss how to configure the passive identity agent.

Create a Passive Identity Agent Identity Source

This task discusses how to create a passive identity agent that sends user session activity to the Cloud-delivered Firewall Management Center.

Before you begin

Complete the following:

Procedure


Step 1

Log in to the Cisco Security Cloud Control.

Step 2

Click Objects > Other FTD Objects.

Step 3

Integration > Other Integrations > Identity Sources

Step 4

Click Passive Identity Agent.

Step 5

Click Create Agent.

Step 6

In the Configure Agent dialog box, enter the following information:

Item

Description

Name

Enter a unique name to identify this passive identity agent.

Description

Enter an optional description.

Role

Click one of the following:

  • Primary: The agent responsible for communicating with the Cisco Security Cloud Control.

    Not available if you choose Standalone.

  • Secondary: Becomes the primary if the primary loses contact with the Cisco Security Cloud Control.

    Not available if you choose Standalone.

  • Standalone: If there is only one passive identity agent.

For more information about roles, see About Passive Identity Agent Roles.

Step 7

Continue with:


Create a Standalone Passive Identity Agent Identity Source

This task discusses how to configure a standalone passive identity agent.
Before you begin

Complete the tasks discussed in Create a Passive Identity Agent Identity Source.

Procedure

Step 1

In the Configure Agent dialog box, enter the following information:

Item

Description

Role

Click Standalone.

Domain Controller

From the list, select the check box next to each domain controller that has a passive identity agent you wish to use for identity management and user control.

The following figure shows an example of a standalone passive identity agent identity source.

When you create a standalone passive identity agent, you must specify a name and an AD domain controller defined by the realm

Step 2

In the Configure Agent dialog box, click Save.

Step 3

In the top right corner of the page, click Save.

The following figure shows an example.

You must click Save at the top of the page to save the identity source configuration

Note

 

The passive identity agent won't be active until you create a user and install the software.


What to do next

Create a Primary or Secondary Passive Identity Agent Identity Source

The following task continues from Create a Passive Identity Agent Identity Source.

Before you begin

Complete the tasks discussed in Create a Passive Identity Agent Identity Source.

Procedure

Step 1

In the Configure Agent dialog box, enter the following information:

Item

Description

Role

Click one of the following:

  • Primary: The agent responsible for communicating with the Secure Firewall Management Center.

  • Secondary: Becomes the primary if the primary loses contact with the Secure Firewall Management Center.

For more information about roles, see About Passive Identity Agent Roles.

Primary Agent Hostname/IP Address

(Primary agent only.) Enter the fully qualified domain name or IP address of the server on which the primary passive identity agent is installed.

The passive identity agent supports IPv4 addresses and fully qualified domain names only. IPv6 addresses are not supported.

Secondary Agent Hostname/IP Address

(Secondary agent only.) Enter the fully qualified host name or IP address of the server on which the secondary passive identity agent is installed.

The passive identity agent supports IPv4 addresses and fully qualified domain names only. IPv6 addresses are not supported.

Primary Agent

(Secondary agent only.) From the list, click the name of the primary passive identity agent.

Domain Controller

(Primary agent only.) From the list, select the check box next to each domain controller that has a passive identity agent you wish to use for identity management and user control.

The following figure shows an example of a primary agent:

Create a primary passive identity agent that communicates with the secure firewall manager. If the primary agent fails to communicate with the secure firewall manager, the secondary takes over.

The following figure shows an example of a secondary agent:

Create a secondary passive identity agent to take over from the primary in the event it stops communicating with the secure firewall manager.

Step 2

In the Configure Agent dialog box, click Save.

Step 3

In the top right corner of the page, click Save.

The following figure shows an example.

In this example, there is a primary and secondar passive identity agent monitoring the domain forest.example.com.

Note

 

The passive identity agent won't be active until you create a user and install the software.


What to do next

About Passive Identity Agent Roles

The passive identity agent has the following roles:

  • Standalone: A passive identity agent that is not part of a redundant pair. A standalone agent can download users and groups from multiple Active Directory servers and domain controllers, provided the software is installed on all of them.

  • Primary: (Primary agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.

    Handles all communication with the Cloud-delivered Firewall Management Center unless it stops communicating, in which case communication is handled by secondary agents.

  • Secondary: (Secondary, or backup, agent in a redundant pair.) Can be installed on a Microsoft AD domain controller, directory server, or any network client.

    Monitors the health of the primary agent and takes over if the primary agent stops communicating with the Cloud-delivered Firewall Management Center.

The can monitor several AD domain controllers that art part of the same domain.

Create a Cisco Security Cloud Control User for the Passive Identity Agent

This task discusses how to create a Secure Firewall Management Center user with sufficient permissions to communicate with the passive identity agent.


Note


Use only the Passive Identity User role for the passive identity agent user. In particular, do not use the Administrator role for the passive identity agent because Administrator will be logged off at a regular basis as the passive identity agent communicates with the Secure Firewall Management Center.


Before you begin

Complete the tasks discussed in Create a Passive Identity Agent Identity Source.


Note


You cannot use external authentication with the Passive Identity Agent.


Procedure


Step 1

Log in to the Cisco Security Cloud Control.

Step 2

Click System (system gear icon) > Users > Users.

Step 3

Click Create User.

Step 4

Create the user as discussed in Add or Edit an Internal User in the Cisco Secure Firewall Management Center Administration Guide.

Step 5

Select the Passive Identity User role.

The following figure shows an example.

The passive identity agent user must be assigned the Passive Identity User role and no other role.

Note

 

Do not choose a role for the passive identity agent user other than Passive Identity User because the agent will not function properly.

Step 6

Click Save.


What to do next

Install the Passive Identity Agent Software.

Troubleshoot the Passive Identity Agent

This topic discusses how you can troubleshoot the passive identity agent software on your Windows AD domain controller or directory server.

(Optional.) Set the log level

By default, the passive identity agent logs at the INFO level. To optionally change the log level, open C:\Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent\CiscoPassiveIdentityAgentService.exe.config in a text editor, save the file, and restart the Cisco Passive Identity Agent service.

Do not rename the logging service

Do not rename C:\Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent\CiscoPassiveIdentityAgentService.exe.config ; otherwise, the passive identity agent will stop generating log files. Do not remove or change the .exe.config file extension.

View log files

Passive identity agent log files are stored in plain text format in the agent's installation directory: C:\Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent .

Use Notepad or another text editor to view these files. Log files rotate after reaching 10MB in size.

Use the Microsoft Active Directory event viewer

In the event you are not seeing user sessions in the Cisco Security Cloud Control, you can look on your Microsoft Active Directory server's event viewers for the following Kerberos-related events:

For general information about audit policy, see Audit Policy Recommendations on learn.microsoft.com.

For more information about Windows Group Policy Object settings, see Group Policy Objects on learn.microsoft.com.

Get an API Token for the Passive Identity Agent

This task discusses how to get the API token, which is used by the passive identity agent to authenticate with the cloud-delivered Firewall Management Center. It applies only to using the passive identity agent with the cloud-delivered Firewall Management Center.

Required role:

  • Super Admin

  • Admin

Procedure


Step 1

Log in to Cisco Security Cloud Control.

Step 2

Click Administration > Integrations & Migration > Cloud Services.

Step 3

Check the box next to the cloud-delivered Firewall Management Center with which you want to use the passive identity agent.

Step 4

In the right pane, click Passive Identity.

Step 5

Copy the token to the clipboard.


What to do next

Install the Passive Identity Agent Software.

Install the Passive Identity Agent Software

This task discusses how to install the passive identity agent software. For a simple installation, you can install it on your Microsoft Active Directory (AD) domain controller; for other options, see Deploy the Passive Identity Agent.

Before you begin

See Get an API Token for the Passive Identity Agent.

Make sure your systems meet the following requirements:

  • If you install it on a Windows Active Directory server, the server must run Windows Server 2008 or later.

  • If you install it on a Windows client attached to the domain, the client must run Windows 8 or later.

  • The system clock on all systems must be synchronized. We strongly recommend using the same NTP servers on all of them. This means:

    • The Security Cloud Control.

      For more information, see Configure NTP Server.

    • All Windows Active Directory servers and domain controllers.

    • The machine on which the passive identity agent is installed.

  • Security Cloud Control must run November 8, 2024 or later.

  • You must enable Snort 3 on the Secure Firewall Threat Defense devices.

Procedure


Step 1

Download the passive identity agent from software.cisco.com.

Step 2

Log in as a member of the Administrators group to the machine on which to install the passive identity agent.

Step 3

Double-click CiscoPassiveIdentityAgentInstaller-1.0.msi .

Step 4

Click Next.

Step 5

Choose a folder in which to install the passive identity agent and click Next.

The default installation folder is Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent .

Step 6

Click Next.

Step 7

Click Install.

Step 8

When the installation is done, click Finish and optionally check the box to start the passive identity agent.

Step 9

When the passive identity agent starts, click the On-Prem tab if you are using the agent with an on-premises Secure Firewall Management Center (physical or virtual) or click the Cloud tab if you are using the agent with Security Cloud Control.

Step 10

In the Cisco Passive Agent dialog box, enter the following information:

Item

Description

FMC FQDN / IP Address

Enter the fully qualified domain name or IP address of the Cloud-delivered Firewall Management Center on which you created the passive identity agent identity source.

The passive identity agent supports IPv4 addresses and fully qualified domain names only. IPv6 addresses are not supported.

Token

Enter the API token you found in Get an API Token for the Passive Identity Agent.

Agent

Click the list to locate the domain controller of the passive identity agent you created previously on the Cisco Security Cloud Control.

Step 11

Click the Agent list.

Step 12

From the list, click the name of the domain controller to monitor.

Step 13

Click Test.

The following figure shows an example.

Make sure you test the connection before you save the configuration.

Step 14

Only if the test succeeds, click Save.


What to do next

Uninstall the Passive Identity Agent Software

This task discusses how to uninstall the passive identity agent software from your Microsoft AD servers.

Procedure


Step 1

Log in as an administrator to the machine on which the passive identity agent is installed.

Step 2

Search for Add or Remove Programs.

Step 3

Click Cisco Passive Identity Agent.

Step 4

Click Uninstall.

Step 5

You are required to confirm the uninstallation.


Monitor the Passive Identity Agent

The passive identity agent indicates whether or not it can communicate with the Cisco Security Cloud Control and other agents if it's configured as primary-secondary. You can view the status at Integration > Other Integrations > Identity Sources.

Deployments

A standalone passive identity agent is represented as follows.

A primary-secondary pair is represented as follows.

The following table explains the meaning of the indicators.

Object

Meaning

Cloud-delivered Firewall Management Center

Standalone Passive Identity Agent

Active Directory domain controller

Primary agent

Secondary agent

Status indicators and colors

The passive identity agent indicates status using lines (that indicate whether communication with the Cloud-delivered Firewall Management Center is active or standby) and colors (that indicate whether or not communication is successful).

The following table shows the meanings of lines and colors:

Object

Meaning

Solid line

The agent that is responsible for communicating with the Cloud-delivered Firewall Management Center.

Dashed line

Primary/secondary configuration only. The agent that is acting as the backup agent. In the event of a communication failure between the active (solid line) agent, this agent communicates with the Cloud-delivered Firewall Management Center.

Green

Agent communication is normal.

Amber

Agent has never successfully communicated with the Cloud-delivered Firewall Management Center. A newly created agent line is orange and remains so until configuration is complete.

Red

Communication is failing. To resolve the issues:

  • Check sure the network connections between agents and the Cloud-delivered Firewall Management Center.

  • Make sure you have completed configuring the system (Microsoft AD server, domain controllers, and the Cloud-delivered Firewall Management Center).

    For more information, see How to Create a Passive Identity Agent Identity Source.

Manage the Passive Identity Agent

Edit Passive Identity Agents

This task discusses how to edit passive identity agents you previously configured in the Cisco Security Cloud Control.

Procedure


Step 1

Log in to the Cisco Security Cloud Control.

Step 2

Click Objects > Other FTD Objects.

Step 3

Integration > Other Integrations > Identity Sources

Step 4

Click Edit (edit icon) next to the agent to edit.

Step 5

Make the desired changes.

Step 6

Click Save.


Delete a Standalone Passive Identity Agent

This task discusses how to delete a standalone passive identity agent.

Procedure


Step 1

Log in to the Cisco Security Cloud Control.

Step 2

Click Objects > Other FTD Objects.

Step 3

Integration > Other Integrations > Identity Sources

Step 4

Click Edit (edit icon) next to the agent to delete.

Step 5

Click Delete.

Step 6

You are required to confirm the action.


Delete Primary and Secondary Passive Identity Agents

This task discusses how to delete primary and secondary passive identity agents. You must delete a secondary agent before you can delete a primary agent.

Procedure


Step 1

Log in to the Cisco Security Cloud Control.

Step 2

Click Objects > Other FTD Objects.

Step 3

Integration > Other Integrations > Identity Sources

Step 4

Click Passive Identity Agent.

Step 5

Click Edit (edit icon) next to a secondary agent to delete.

Step 6

Click Delete.

Step 7

You are required to confirm the action.

Step 8

If you wish to delete a primary agent, first delete all secondary agents.


Troubleshoot the Passive Identity Agent

This topic discusses how you can troubleshoot the passive identity agent software on your Windows AD domain controller or directory server.

(Optional.) Set the log level

By default, the passive identity agent logs at the INFO level. To optionally change the log level, open C:\Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent\CiscoPassiveIdentityAgentService.exe.config in a text editor, save the file, and restart the Cisco Passive Identity Agent service.

Do not rename the logging service

Do not rename C:\Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent\CiscoPassiveIdentityAgentService.exe.config ; otherwise, the passive identity agent will stop generating log files. Do not remove or change the .exe.config file extension.

View log files

Passive identity agent log files are stored in plain text format in the agent's installation directory: C:\Program Files\Program Files (x86)\Cisco\Cisco Passive Identity Agent .

Use Notepad or another text editor to view these files. Log files rotate after reaching 10MB in size.

Use the Microsoft Active Directory event viewer

In the event you are not seeing user sessions in the Cisco Security Cloud Control, you can look on your Microsoft Active Directory server's event viewers for the following Kerberos-related events:

For general information about audit policy, see Audit Policy Recommendations on learn.microsoft.com.

For more information about Windows Group Policy Object settings, see Group Policy Objects on learn.microsoft.com.

Security Requirements for the Passive Identity Agent

To safeguard the system, you should install the passive identity agent on a protected internal network. Although the passive identity agent is configured to have only the necessary services and ports available, you must make sure that attacks cannot reach it.

If the passive identity agent and the Security Cloud Control reside on the same network, you can connect the Security Cloud Control to the same protected internal network as the passive identity agent.

Regardless of how you deploy your appliances, inter-system communication is encrypted. However, you must still take steps to ensure that communications between appliances cannot be interrupted, blocked, or tampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Internet Access Requirements for the Passive Identity Agent

By default, the passive identity agent is configured to communicate with the Firepower System over the internet using HTTPS on port 443/tcp (HTTPS). If you do not want the passive identity agent to have direct access to the internet, you can configure a proxy server.

If your Cloud-delivered Firewall Management Center cannot communicate with the machine on which the passive identity agent is installed, you must use a proxy with the HTTPS protocol enabled.

The way you do this is up to you; for example, you might have a commercial proxy and use a Windows system proxy with HTTPS enabled to communicate with it.

The following information informs you of the ports the passive identity agent use to communicate with each other, with the Security Cloud Control, and with Microsoft Active Directory.

Table 1. Passive Identity Agent port requirements
Port Reason

443

Communicate with the Security Cloud Control.

135

Communicate with Microsoft Active Directory using the MSRPC protocol.

9095

Communicate with each other using the UDP protocol.

History for the Passive Identity Agent

Table 2. History for the Passive Identity Agent

Feature

Minimum Management Center

Minimum Threat Defense

Details

Passive Identity Agent

November 8, 2024

7.6

This feature is introduced.

The passive identity agent identity source sends session data from Microsoft Active Directory (AD) to the management center. Passive identity agent software is supported on:

  • Microsoft AD server (Windows Server 2008 or later)

  • Microsoft AD domain controller (Windows Server 2008 or later)

  • Any client connected to the domain you want to monitor (Windows 8 or later)

See: User Control With the Passive Identity Agent.