Deploy the Passive Identity Agent

You can install the Passive Identity Agent software on any machine that is part of a Microsoft Active Directory (AD) domain you want to use for user awareness and control. In other words, you can install it on any of the following:

• The Microsoft Active Directory server

• A domain controller

• A client connected to the network that is neither the directory server nor a domain controller

Any particular passive identity agent can monitor one or several Active Directory domain controllers in the same domain.

The machine on which the passive identity agent must communicate with the Cloud-delivered Firewall Management Center using the TLS/SSL protocol. For more information, see Internet Access Requirements for the Passive Identity Agent.

Types of agents

You can configure the following types of agents on the Microsoft AD directory server, domain controller, or on any client connected to the domain:

• Standalone agent: One agent that can monitor one or several Active Directory domain controllers in the same domain.

• Primary agent and secondary agent that can monitor one or several AD domain controllers in the same domain: To provide redundancy, you can install a primary and secondary agent on different machines. The primary is responsible for communicating with the Cloud-delivered Firewall Management Center but if communication fails, the secondary agent takes over.

See one of the following topics for more information.