![background image](/i/zyxel/145575/zyxel-zywall-otpv2/h/zyxel-zywall-otpv2-076.png)
Chapter 4: Basic Administration Tasks
Configuring alternative group policies
62
Configuring
alternative group
policies
SafeWord 2008’s default configuration should suit the majority of network
topologies and use cases. The SafeWord Agent is responsible for checking
group membership and submitting authentication requests to the
Authentication Engine (see Figure 29).
Figure 29:
Typical
network setup
Occasionally, the default configuration may not fit a particular network topology
or management policies. If computers in a network DMZ do not have
anonymous access to Active Directory, the SafeWord Agent is unable to
contact Active Directory and read group membership information in order to
determine which users require SafeWord 2008 authentication. You can
configure SafeWord 2008 to handle such a scenario (see Figure 30).
Figure 30:
Alternative
network topology
In this configuration, group membership checking is done by the SafeWord
server (rather than the agent). Since the server will typically be running inside
the trusted network, it should have no difficulty obtaining the necessary
information from Active Directory.
DMZ
SafeWord
Agent
AAA
AD
Group checking
Inside
SafeWord
Server
Authentication
Typical
DMZ
SafeWord
Agent
AAA
AD
Inside
Group
Checking
Authentication
Alternative
SafeWord
Server