Optimal IdM’s Virtual Identity Server (VIS) can be deployed as an LDAP Proxy Firewall to provide the needed protection and security for the sensitive identity data stored in an Active Directory (AD). An LDAP proxy firewall acts as a barrier between client applications and data stored in your AD.  Instead of client applications directly accessing your sensitive data, which can leave it vulnerable to attack, applications connect to the proxy and the proxy accesses the necessary data. LDAP proxy authentication creates an added layer of security for your sensitive data while still offering real-time access when and where you need it.  

Register for a Free Trial Today!

Interested in the features and benefits of Optimal IdM? Request a demo! Request Demo

VIS LDAP Proxy Firewall

Many organizations utilize an http web proxy server, such as Microsoft’s Internet Security and Acceleration (ISA) Server within their web server environment. ISA provides not only a more secure environment but also additional performance capabilities. LDAP Proxy Firewall Likewise, when deployed as an LDAP proxy server, VIS offers this type of protection and security for LDAP directories such as an Active Directory. Applications connect to the VIS proxy server exactly as they do any normal LDAP directory. In fact, to any client application accessing an LDAP proxy, VIS looks and behaves just like a standard Active Directory or ADAM server to the LDAP enabled client application. isa-http-web-proxy-server-2x

Application-Specific Views

In many cases, applications that are written to an Active Directory are written poorly and inefficiently. For example, many applications connect at the root of the Active Directory forest when they may only need to search one or two containers in the tree. Additionally, many applications only need to view users and groups, but in reality are granted access to view more than just users and groups. This is because Active Directories do not provide the ability to control what is searched, such as specific LDAP queries. When used as an LDAP proxy server, however, VIS can be configured to publish application specific views, granting the application only the data it requires. The result is a more secure Active Directory and increased performance for both the application and the AD.

Product Features

The Virtual Identity Server is easy to install and configure. When VIS is deployed as an LDAP Proxy Firewall, it provides a more secure environment and additional performance capabilities, such as:


Meet Audit and Compliance Initiatives

One of the key benefits of using an LDAP DMZ proxy is the ability to simplify auditing, compliance and related security issues.

With VIS as an LDAP proxy, you get at-a-glance answers to questions such as:

– Who has logged in and when?

– What changes were made to data and when?

– Who was added to the Administrators group today?

– What changes did “employee x” make?

Increased Security and Control

Using VIS as an LDAP proxy firewall, you can:

– Gain greater control over what accounts connect, bind, and search your LDAP directory.

– Limit the entry points into your secure Active Directory, further protecting your AD.

– Monitor and report on changes to the directory in real-time.

– Limit what searches and modifications can be performed against the LDAP directory.

Eliminate Deployment Barriers

Rapidly and easily deploy applications to users existing in multiple Active Directory forests or directories.

– The VIS Schema Manager™ eliminates the need to extend the Active Directory schema for third party LDAP applications.

– VIS allows you to rapidly deploy applications to users existing in multiple Active Directory Forests without any forest trusts.

– VIS simplifies your identity management deployment by accessing data at its source directly.

– VIS provides multiple views of data, allowing for easy discreet application views of enterprise data.


In any business setting, one of the key security policies is to give each employee just enough access to I.T. resources for them to perform their respective job functions.

If an employee has been given too much access, then ‘data leakage’ can occur. This is when an application (such as a database query) can literally return more confidential data than what the employee needs to have or know. An LDAP Virtual Directory greatly minimizes this security risk by only allowing the employee to access this confidential data when and where it is needed. In other words, data is not reproduced multiple times throughout the business.

Active Directory vs. Active Directory with VIS LDAP Proxy Firewall

The Optimal IdM Virtual Identity Server™ (VIS), deployed as an LDAP firewall proxy server provides the needed protection, firewall authentication, and security for Active Directories.

Active Directory Alone

  • –  An Active Directory is vulnerable and unsecure to attacks such as denial of service.
  • –  Applications have more access then they need with the principle of least privilege being very hard to enforce.
  • –  Data in an Active Directory is difficult to secure because administrators have little control over the applications accessing the data.
  • –  Poorly written applications can crash an Active Directory causing outages for end users.
  • –  Active Directory performance is susceptible to inefficient queries that applications send.

Active Directories with a VIS LDAP Proxy Firewall

  • The Active Directory is more secure by being placed behind an LDAP firewall proxy server. Applications no longer access the AD directly.
  • VIS provides data leakage prevention (DLP) by only publishing the data that the applications require.
  • The Active Directory is now protected and safe because inefficient or rogue queries are either blocked or transformed in real-time into more efficient queries.
  • VIS provides a complete auditing solution for all applications accessing the AD. All activity (modifications, searches) are captured.
  • All applications now have a built-in failover. As backend systems fail, VIS provides the failover mechanisms automatically at the server layer.
  • All applications now have a built-in connection pooling to the AD, which increases performance and reliability significantly.
  • Application deployment time is reduced by more than 50% by quickly providing real-time application specific views from multiple data stores.
  • VIS removes application deployment barriers by handling AD schema changes virtually and rapidly providing multi-forest views without any forest trusts.
  • VIS reduces the Kerberos token size limit problem by providing application specific groups at the VIS layer.
  • Active Directory and application performance is increased by mapping inefficient queries into more efficient queries, without code.
  • VIS leverages and extends the existing investment in the Microsoft platform & enables LDAP firewall authentication.


No Active Directory should be left unprotected or not secure.

Frequently Asked Questions

Does VIS support Kerberos and/or NTLM/Negotiate authentications?

Yes, VIS supports Kerberos, NTLM and Negotiate as authentication options on both the listing side as well as the back-end connection sides.

Can I get a demo/evaluation version of VIS?

Yes. Please fill out a demo form with your contact information.

What data stores can the Virtual Identity Server connect to?

The Virtual Identity Server supports a number of data stores directly with out of the box adapters. Additionally, a customer or integrator can create adapters utilizing our built-in extensibility.

Is your product FIPS compliant?

Yes. Our software is running in both non-secure and secure government networks.

Does VIS support caching?

Yes. There are multiple caching options with VIS. Caching can be configured on an object class by object class basis, with a time to live and cache size as well. Most organizations in most situations, however, do not need to use caching.

Do you SharePoint integration?

We support WSS 3.0, SharePoint 2007, 2010 & 2013.

Do you support server virtualization like HyperV or VMWARE?


Does VIS come as a 64-bit application?

Yes. VIS is now only offered in a 64-bit version of the product.

Is VIS supported on Windows 2012?

Yes. The Virtual Identity Server is certified on both Windows Server 2012 and Windows Server 2012 R2.

Is VIS supported on Windows 2008?

Yes. The Virtual Identity Server is certified on both Windows Server 2008 and Windows Server 2008 R2.

Is VIS supported on Windows 2003?

Yes. The Virtual Identity Server is certified on both Windows Server 2003.

What additional software requirements does VIS have?

VIS was written in Microsoft’s .NET programming language and utilizes the .NET 4.5 Framework.

What encryption algorithms does your product support?

VIS can encrypt this information with any of the following algorithms Triple-DES (3DES), AES, RIJNDAEL and BLOWFISH

Does your product store any un-encrypted user id information or passwords?

Individual entries, such as bind accounts and passwords or even the entire XML file can be optionally encrypted using the GUI.

Is there a GUI to maintain the XML file?

Yes. There is a Windows GUI that provides an easy interface to edit the XML file. You can also edit the XML file manually if you prefer.

Can this XML file be shared across multiple VIS servers?

Yes. Multiple VIS server instances can all share the same XML file.

How does VIS store configuration information?

The product configuration is stored in one XML file, making the product extremely easy to configure and migrate.

What TCP/IP port does VIS run/listen on?

VIS can be configured to run on any port you choose provided another application is not using that port. You can choose the standard LDAP port of 389 or 636 (SSL).

Can VIS be load balanced?

Yes. VIS can be placed behind a load balancer (either software or hardware), allowing for a fail-over and load balancing configuration for the applications that connect to VIS. In addition, the connections that VIS makes to connected directories can be load balanced as well.

What types of listeners does VIS support?

VIS can listen via LDAP v3, REST Web Service, PowerShell out of the box, but can be extended to listen via any protocol/method desired using the API’s.  With 3rd party ODBC/ADO.NET Drivers, SQL calls can also be made.

How long does it take to install and configure VIS?

VIS installs in minutes, using a standard MSI/setup.exe. After installing the binary files, a wizard guides you through the configuration of the product. While the Virtual Identity Server has the most comprehensive features of any virtual directory product on the market, a key differentiator is how easy the product is to install and configure.


Data Sheet: Virtual Identity Server

Read More
White Paper: VIs for Automated Compliance Management

Read More

Read More

Can’t wait? Get Optimal IdM IAM Services Now

Contact Us Start Your Free Trial View Pricing