Securing & Protecting Active Directory


Optimal IdM’s Virtual Identity Server (VIS) can be deployed as an LDAP Proxy Firewall to provide the needed protection and security for the sensitive identity data stored in your Active Directory.

LDAP Proxy Firewall

Optimal IdM’s Virtual Identity Server (VIS) can be deployed as an LDAP Proxy Firewall to provide the needed protection and security for the sensitive identity data stored in your Active Directory. An LDAP proxy firewall acts as a barrier between client applications and data stored in your Active Directory.  Instead of client applications directly accessing your sensitive data, which can leave it vulnerable to attack, applications connect to the proxy and the proxy accesses the necessary data. LDAP proxy authentication creates an added layer of security for your sensitive data while still offering real-time access when and where you need it.


Many organizations utilize an http web proxy server, such as Microsoft’s Internet Security and Acceleration (ISA) Server within their web server environment. ISA provides not only a more secure environment, but also additional performance capabilities.

isa-http-web-proxy-server-2xLikewise, when deployed as an LDAP proxy server, VIS offers this type of protection and security for LDAP directories such as Active Directory. Applications connect to the VIS proxy server exactly as they do any normal LDAP directory. In fact, to any client application accessing an LDAP proxy, VIS looks and behaves just like a standard Active Directory or ADAM server to the LDAP enabled client application.


Application-Specific Views

In many cases, applications that are written to Active Directory are written poorly and inefficiently. For example, many applications connect at the root of the Active Directory forest when they may only need to search one or two containers in the tree. Additionally, many applications only need to view users and groups, but in reality are granted access to view more than just users and groups.

This is because Active Directory does not provide the ability to control what is searched, such as specific LDAP queries. When used as an LDAP proxy server, however, VIS can be configured to publish application specific views, granting the application only the data it requires. The result is a more secure Active Directory and increased performance for both the application and Active Directory.



Meet Audit and Compliance Initiatives

[wpex more= “Read more” less= “Read less”] One of the key benefits of using an LDAP DMZ proxy is the ability to simplify auditing, compliance and related security issues. With Virtual Identity Server, you get at-a-glance answers to questions such as: – Who has logged in and when? – What changes were made to data and when? – Who was added to the Administrators group today? – What changes did “Bob” make? [/wpex]

Reduced IT Costs

[wpex more= “Read more” less= “Read less”] Virtual Identity Server has been designed to increase the value of your existing Microsoft environment in the following ways. – VIS leverages the existing investment in Microsoft technology, extending it with increased functionality. –  It is developed in .NET technology and is designed to seamless integrate with your Microsoft environment. – VIS is a platform that continues to grow with an organization’s needs. – It has proven solutions for Microsoft applications such as SharePoint and MIIS/ILM. [/wpex]

Increased Security and Control

[wpex more= “Read more” less= “Read less”] Using VIS as an LDAP proxy firewall, you can: – Gain greater control over what accounts connect, bind, and search your LDAP directory. – Limit the entry points into your Active Directory, further protecting your Active Directory. – Monitor and report on changes to the directory in real-time. – Limit what searches and modifications can be performed against the LDAP directory. [/wpex]

Eliminate Deployment Barriers

[wpex more= “Read more” less= “Read less”] The Virtual Identity Server provides an enhanced application environment by allowing organizations to rapidly and easily deploy applications to users existing in multiple Active Directory forests or directories. – The VIS Schema Manager™ eliminates the need to extend the Active Directory schema for third party LDAP applications. – VIS allows you to rapidly deploy applications to users existing in multiple Active Directory Forests without any forest trusts. – VIS simplifies your identity management deployment by accessing data at its source directly. – VIS provides multiple views of data, allowing for easy discreet application views of enterprise data. [/wpex]

Active Directory vs. Active Directory with Virtual Identity Server LDAP Proxy Firewall

The Virtual Identity Server™ (VIS™), deployed as an LDAP proxy server provides the needed protection and security for Active Directory. Active Directory Alone

  • Active Directory is vulnerable and unsecure to attacks such as denial of service.
  • Applications have more access then they need with the principle of least privilege being very hard to enforce.
  • Data in Active Directory is difficult to secure because administrators have little control over the applications accessing the data.
  • Poorly written applications can crash Active Directory causing outages for end users.
  • Active Directory performance is susceptible to inefficient queries that applications send.

[wpex more= “Read more” less= “Read less”] Active Directory with Virtual Identity Server LDAP Proxy Firewall

  • Active Directory is more secure by being placed behind an LDAP firewall proxy server. Applications no longer access AD directly.
  • VIS provides data leakage prevention (DLP) by only publishing the data that the applications require.
  • Active Directory is now protected and safe because inefficient or rogue queries are either blocked or transformed in real-time into more efficient queries.
  • VIS provides a complete auditing solution for all applications accessing AD. All activity (modifications, searches) are captured.
  • All applications now have built-in failover. As backend systems fail, VIS provides the failover mechanisms automatically at the server layer.
  • All applications now have built-in connection pooling to AD, which increases performance and reliability significantly.
  • Application deployment time is reduced by over 50% by quickly providing real-time application specific views from multiple data stores.
  • VIS removes application deployment barriers by handling AD schema changes virtually and rapidly providing multi-forest views without any forest trusts.
  • VIS reduces the Kerberos token size limit problem by providing application specific groups at the VIS layer.
  • Active Directory and application performance is increased by mapping inefficient queries into more efficient queries, without code.
  • Leverages and extends the existing investment in the Microsoft platform.

No Active Directory should be left unprotected. [/wpex]


Does VIS support Kerberos and/or NTLM/Negotiate authentications?

faq-imageYes, VIS supports Kerberos, NTLM and Negotiate as authentication options on both the listing side as well as the back-end connection sides.

Can I get a demo/evaluation version of VIS?

Yes. Please fill out a demo form with your contact information.

What data stores can the Virtual Identity Server connect to?

The Virtual Identity Server supports a number of data stores directly with out of the box adapters. Additionally, a customer or integrator can create adapters utilizing our built-in extensibility.

Is your product FIPS compliant?

Yes. Our software is running in both non-secure and secure government networks.