Configuring the Hosted Email Security (HES) ActiveDirectory Sync Client after installation

Solution ID Last Updated
1060411 Mar. 27, 2014 5:58 AM (PST)

Product / Version Platform
Hosted Email Security - 1.9.8, 2.0;
N/A - N/A

Problem Description

This article tells you how to configure the HES ActiveDirectory Sync Client after installing it.


The HES ActiveDirectory Sync Client starts automatically once it is installed. However, before you can start using the ActiveDirectory Sync Client to synchronize user email addresses to the HES service, you need to configure some parameters like the LDAP Path, Network Settings, and the Search Criteria. You can also choose to view the History Logs.
Important: Make sure to enable the Web Services Application. Go to Administration > Web Services on the HES console before you proceed with the steps below.
Enable Web Services Application
[ Expand All ]


Setting the LDAP (ActiveDirectory) Path

The main page is for setting the LDAP path. To set the HES ActiveDirectory path, you can enter one or more LDAP paths by which the sync client program can retrieve the user email address (mail record) data.
Set the LDAP (ActiveDirectory) path


Configuring the Network Settings

Acess Authentication
To access Hosted Email Security Web services applications, you must provide the network parameters.
To configure the network settings, click Configure at the bottom of the main page. The Network Settings dialog box will appear.
Hosted Email Security Admin Logon Account
The login account is the account credentials to access the Web services.
  • User Name is the log-on user name given to you for accessing the HES administrative web console. Refer to your welcome letter, sent when you subscribed to the HES service.
  • Service Auth Key is the APIKEY that you generated on the HES administrative web console for authenticating HES Web services access.
Proxy Settings
Currently, only HTTP proxy is supported. You can configure three different kinds of proxy settings:
  • Do not use a proxy.
  • Automatically detect proxy settings - Use the proxy setting of Microsoft Internet Explorer.
  • Manually set the proxy - Input the proxy information in the text boxes under "Manually set the proxy".
When you click OK to configure the proxy settings, HES ActiveDirectory Sync client attempts to make a test connection to HES Web services. If HES Web services are unreachable, the following error message appears:
Error retrieving the Web Service settings
Sync Interval
Sync interval is the frequency with which the HES ActiveDirectory Sync client checks for user account updates in Active Directory. The first synchronization starts one interval after you start the AD Sync Client. The minimum interval is 1 hour. We suggest that you set the interval no higher than 24 hours.
Sync Now Function
If you need to see the sync result sooner than the next scheduled synchronization, you can execute a synchronization immediately by clicking Sync Now in the AD Sync Client, as shown in the figure below.
Note: If you click Sync Now while a scheduled synchronization is in progress, the new sync action will begin after the scheduled synchronization is complete.
Sync Now


Modifying the Search Criteria

By default, the HES ActiveDirectory Sync Client searches for an object class "User" and its three attributes:
  • displayName
  • mail
  • proxyAddresses
These defaults are set in an XML configuration file called IMHS_AD_ACL.config, whose contents are shown in the figure below:
However, the client provides the flexibility for you to modify these defaults if you wish. For example, if for purposes of confidentiality you would like for the client to search only for proxy addresses but not email addresses or display names, you could modify these settings by revising the config file as shown in the figure below:
Modify the default settings
You can leave the default value as is but add more alternate path names. For example, as shown in the figure below:
Add alternate path names
You can also add self-defined object classes or attribute names. If you modify this config file, save it and restart the client in order for your changes to take effect.
Note: The tag is the root tag in this XML file. Although you can add multiple blocks, there can be only one opening tag and one closing tag in the IMHS_AD_ACL.config file.
Inheritance of Object Classes
In Active Directory schema, object classes can be inherited. If an object class is configured in IMHS_AD_ACL.config, then the objects of its subclasses under the same LDAP path will be retrieved as well. Take this into consideration when modifying the ACL configuration file.
For example, in config file sample A, the first of the two sample configuration files shown in the figure below, class inetOrgPerson is a subclass of user. If for the same LDAP path we configure the object class user, as in config file sample B, the query will also retrieve inetOrgPerson objects. Both of these configuration files would retrieve the same objects.
Config file
It is not necessary to configure inetOrgPerson. Whereas, if we remove inetOrgPerson from the ACL file but keep the user, objects of inetOrgPerson will still be retrieved. In other words, if an object class is removed from ACL, its entries in the server will be removed if they are not in other object classes specified in ACL.
Note: HES preserves this config file for future use, even if you re-install the client.


Viewing the History Log

HES ActiveDirectory Sync Client provides transaction logging. To view the recent transactions, click History.
The history information contains three columns: TimeStamp, Event and Reason(s), as shown in the figure below.
History Log

Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.

Connect with us on